[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: IETF ldapbis WG Last Call: draft-ietf-ldapbis-user-schema-05.txt

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: IETF ldapbis WG Last Call: draft-ietf-ldapbis-user-schema-05.txt
From: Michael Ströder <michael@stroeder.com>
Date: Mon, 26 May 2003 22:45:52 +0200
Cc: ietf-ldapbis@OpenLDAP.org
In-reply-to: <5.2.0.9.0.20030526125326.0293ac10@127.0.0.1>
References: <5.2.0.9.0.20030523163225.0278b740@127.0.0.1> <5.2.0.9.0.20030523163225.0278b740@127.0.0.1> <5.2.0.9.0.20030526125326.0293ac10@127.0.0.1>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3.1) Gecko/20030425

Kurt D. Zeilenga wrote:

At 12:40 PM 5/26/2003, Michael Ströder wrote:
Kurt D. Zeilenga wrote:
KurtZ raised a security consideration regarding session hijacking.
Add consideration.
???
"Add: Use of integrity protection is encouraged to prevent session hijacking."
Which session is meant here?
The LDAP session.
If one uses a mechanism such as DIGEST-MD5 without negotiating integrity protection to authenticate, a man-in-middle can hijack the session after authentication completes.


Does that really belong into draft-ietf-ldapbis-user-schema?
How does that relate to the schema definitions?

I can understand that one emphasizes security for e.g. userPassword (could be added to section 'Security Considerations', generalized and extended). But IMHO LDAP session security is out of scope in this document.

Ciao, Michael.

References:
- Re: IETF ldapbis WG Last Call: draft-ietf-ldapbis-user-schema-05.txt
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: IETF ldapbis WG Last Call: draft-ietf-ldapbis-user-schema-05.txt
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: IETF ldapbis WG Last Call: draft-ietf-ldapbis-user-schema-05.txt
Next by Date: RE: IETF ldapbis WG Last Call: draft-ietf-ldapbis-user-schema-05.txt
Index(es):
- Chronological
- Thread