[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: passwords in the clear

To: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Subject: Re: passwords in the clear
From: Chris Newman <Chris.Newman@Sun.COM>
Date: Wed, 12 Nov 2003 09:40:10 -0600
Cc: ietf-ldapbis@OpenLDAP.org
Content-disposition: inline
In-reply-to: <HBF.20031112vcw4@bombur.uio.no>
References: <2147483647.1068558950@dyn132-212.ietf58.ietf.org> <HBF.20031112vcw4@bombur.uio.no>

Hallvard B Furuseth wrote on 11/12/03 15:17 +0100:
> authmeth 7.1 (Simple Authentication) says:
> 
>    LDAP implementations SHOULD NOT support authentication 
>    with the "simple" authentication choice unless the data on the 
>    connection is protected using TLS or other data confidentiality and 
>    data integrity protection. 
> 
> Are you saying this is insufficient?

Yes, that is insufficient.  That is equivalent to the initial text we had in
IMAP which was rejected by the security ADs.  Granted it went through when Jeff
was still an AD so it might slip through with today's security ADs, but I do
think the compromise text is actually an improvement.  And I'd rather have this
draft sail through quickly than get stuck with a discuss.

> How about just adding '...and
> servers MUST support a configuration which rejects "simple"
> authentication unless such protection is in place.'
> 
> Or maybe that should be 'MUST by default reject...'.

Either of these is acceptable if expressed with sufficient precision.

The requirement has to apply to all plain password mechanisms including simple
bind, SASL PLAIN and any other plain-password-based SASL mechanism.  And a bit
more detail about what sort of protection is needed.

                - Chris

References:
- passwords in the clear
  - From: Chris Newman <Chris.Newman@Sun.COM>
- Re: passwords in the clear
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: Re: unauthenticated bind
Next by Date: Re: Textual/non-textual passwords and SASLprep
Index(es):
- Chronological
- Thread