[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: IETF ldapbis WG Last Call: draft-ietf-ldapbis-user-schema-05.txt

To: Michael Ströder <michael@stroeder.com>
Subject: Re: IETF ldapbis WG Last Call: draft-ietf-ldapbis-user-schema-05.txt
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Mon, 26 May 2003 13:01:07 -0700
Cc: ietf-ldapbis@OpenLDAP.org
In-reply-to: <3ED26DAD.4050705@stroeder.com>
References: <5.2.0.9.0.20030523163225.0278b740@127.0.0.1> <5.2.0.9.0.20030523163225.0278b740@127.0.0.1>

At 12:40 PM 5/26/2003, Michael Ströder wrote:
>Kurt D. Zeilenga wrote:
>>KurtZ raised a security consideration regarding session hijacking.
>>Add consideration.
>
>???
>
>I can only find a this comment in mailing list archive:

The comment was raised in "the laundry list".
  http://www.openldap.org/lists/ietf-ldapbis/200305/msg00084.html

>"Add: Use of integrity protection is encouraged to prevent session hijacking."
>
>Which session is meant here?

The LDAP session.

If one uses a mechanism such as DIGEST-MD5 without
negotiating integrity protection to authenticate,
a man-in-middle can hijack the session after
authentication completes.

Follow-Ups:
- Re: IETF ldapbis WG Last Call: draft-ietf-ldapbis-user-schema-05.txt
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: IETF ldapbis WG Last Call: draft-ietf-ldapbis-user-schema-05.txt
  - From: Michael Ströder <michael@stroeder.com>

References:
- Re: IETF ldapbis WG Last Call: draft-ietf-ldapbis-user-schema-05.txt
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: IETF ldapbis WG Last Call: draft-ietf-ldapbis-user-schema-05.txt
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: IETF ldapbis WG Last Call: draft-ietf-ldapbis-user-schema-05.txt
Next by Date: Re: IETF ldapbis WG Last Call: draft-ietf-ldapbis-user-schema-05.txt
Index(es):
- Chronological
- Thread