[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: passwords in the clear
I have to confer with others before I come back with a response to this,
but...
It seems like changing passwords in the clear would present similar issues.
If someone can snoop for bind requests, it wouldn't seem much harder to
also snoop for password change operations (password modify extended op,
modify of userPassword, etc.).
Do we want to consider extending this to cover that?
John McMeeking
Chris Newman
<Chris.Newman@Sun.CO To: ietf-ldapbis@OpenLDAP.org
M> cc:
Sent by: Subject: passwords in the clear
owner-ietf-ldapbis@O
penLDAP.org
11/11/2003 01:55 PM
The recent IMAP revision spec used to allow the LOGIN command (equivalent
to
simple bind) without requiring a security layer and this was rejected by
the
IESG.
In RFC 3501, we developed compromise text that addressed the IESG's desire
to
strongly deprecate passwords in the clear, while still allowing legacy
implementations. Recasting that text in LDAP terms looks roughly like
this:
----
Use of simple bind sends passwords in the clear. This can be
avoided by using SASL bind [SASL] with a mechanism
that does not use plaintext passwords, by first negotiating
encryption via STARTTLS or some other protection mechanism.
A server implementation MUST implement a configuration that, at the
time of authentication, requires:
(1) A STARTTLS encryption layer has been successfully negotiated.
OR
(2) Some other mechanism that protects the session from password
snooping has been provided.
OR
(3) The following measures are in place:
(a) The simple bind operation returns an error even if the
password is correct.
AND
(b) The SASL bind operation returns an error with all [SASL]
mechanisms that use plaintext passwords, even if the password
is correct.
----
- Chris