[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Issues with current authmeth draft.

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: Issues with current authmeth draft.
From: Mark Ennis <mark.ennis@adacel.com>
Date: Tue, 13 May 2003 10:08:25 +1000
Cc: "Ramsay, Ron" <Ron.Ramsay@ca.com>, ietf-ldapbis@OpenLDAP.org
In-reply-to: <5.2.0.9.0.20030512153318.02957500@127.0.0.1>
References: <5.2.0.9.0.20030512153318.02957500@127.0.0.1>
User-agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.3) Gecko/20030312

Kurt D. Zeilenga wrote:


If the client knows instead a DN and password, then it should a
mechanism intended for DN/password authentication (such as
Simple bind over TLS).

From an interoperability perspective this has problems as a server is only required to implement DIGEST-MD5 and simple authentication, not TLS. This theoretical client would then only be able to interwork with servers which implement TLS or would be forced to use a less secure authentication mechanism (simple bind without TLS). This seems counter to the reasons in RFC2829 and [authmeth] for introducing SASL mechanisms, in particular, SASL DIGEST-MD5.

- Mark.

Follow-Ups:
- Re: Issues with current authmeth draft.
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- RE: Issues with current authmeth draft.
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: Issues with current authmeth draft.
Next by Date: Re: Issues with current authmeth draft.
Index(es):
- Chronological
- Thread