Ramsay, Ron wrote:
The concept of realm in DIGEST-MD5 came from HTTP. But this concept is not HTTP specific, e.g. Kerberos uses it as well.I've previously raised concerns about using Digets-MD5 in LDAP. The form of the challenge-response requires structures foreign to LDAP - you mention the realm.
The problem I have with the document is that it references realm without explaining what it is (or at least some examples of valid values). For LDAP, some recommendations should be given. For example:An authentication method required for LDAP can really only make use of information like the DN or attributes in an entry identified by the DN. Kurt has recommended that servers generate the information require by Digest-MD5 using local knowledge, but I cannot agree with a required authentication method not using native LDAP "concepts".
Of course other choices are possible.
Alexey