[Date Prev][Date Next] [Chronological] [Thread] [Top]

passwords in the clear

To: ietf-ldapbis@OpenLDAP.org
Subject: passwords in the clear
From: Chris Newman <Chris.Newman@Sun.COM>
Date: Tue, 11 Nov 2003 13:55:50 -0600
Content-disposition: inline

The recent IMAP revision spec used to allow the LOGIN command (equivalent to
simple bind) without requiring a security layer and this was rejected by the
IESG.

In RFC 3501, we developed compromise text that addressed the IESG's desire to
strongly deprecate passwords in the clear, while still allowing legacy
implementations.  Recasting that text in LDAP terms looks roughly like this:

----
   Use of simple bind sends passwords in the clear.  This can be
   avoided by using SASL bind [SASL] with a mechanism
   that does not use plaintext passwords, by first negotiating
   encryption via STARTTLS or some other protection mechanism.

   A server implementation MUST implement a configuration that, at the
   time of authentication, requires:
      (1) A STARTTLS encryption layer has been successfully negotiated.
   OR
      (2) Some other mechanism that protects the session from password
      snooping has been provided.
   OR
      (3) The following measures are in place:
         (a) The simple bind operation returns an error even if the
         password is correct.
      AND
         (b) The SASL bind operation returns an error with all [SASL]
         mechanisms that use plaintext passwords, even if the password
         is correct.
----

                - Chris

Follow-Ups:
- Re: passwords in the clear
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: Re: Textual/non-textual passwords and SASLprep
Next by Date: unauthenticated bind
Index(es):
- Chronological
- Thread