[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Issues with current authmeth draft.

To: "Mark Ennis" <mark.ennis@adacel.com>, "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: RE: Issues with current authmeth draft.
From: "Ramsay, Ron" <Ron.Ramsay@ca.com>
Date: Tue, 13 May 2003 12:20:27 +1000
Cc: <ietf-ldapbis@OpenLDAP.org>
Content-class: urn:content-classes:message
Thread-index: AcMY48pPlR3o8g6lR9qQbrHGq9pmkwAEcS8A
Thread-topic: Issues with current authmeth draft.

I don't like messages that say "hear, hear", but I fell compelled to say hear, hear! There is also no credence given to the greater effort required to run TLS operationally. Digest-MD5 was suggested as a replacement for CRAM-MD5 not, as I believe, because it had very little connection with directories, but because it was argued to be superior. The aim, though, was a password mechanism that did not present the password in the clear.

Ron

-----Original Message-----
From: Mark Ennis [mailto:mark.ennis@adacel.com]
Sent: Tuesday, 13 May 2003 10:08
To: Kurt D. Zeilenga
Cc: Ramsay, Ron; ietf-ldapbis@OpenLDAP.org
Subject: Re: Issues with current authmeth draft.

Kurt D. Zeilenga wrote:
> 
> If the client knows instead a DN and password, then it should a
> mechanism intended for DN/password authentication (such as
> Simple bind over TLS).

 From an interoperability perspective this has problems as a server is 
only required to implement DIGEST-MD5 and simple authentication, not 
TLS. This theoretical client would then only be able to interwork with 
servers which implement TLS or would be forced to use a less secure 
authentication mechanism (simple bind without TLS). This seems counter 
to the reasons in RFC2829 and [authmeth] for introducing SASL 
mechanisms, in particular, SASL DIGEST-MD5.

- Mark.

Prev by Date: RE: Issues with current authmeth draft.
Next by Date: Simple+TLS as mandatory-to-implement (RE: Issues with current authmeth draft.)
Index(es):
- Chronological
- Thread