Re: Simple auth and TLS (Was: authmeth review notes [long])

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

Hallvard, nevermind regarding my previous post.  After re-reading
Michael's and your messages, I believe I understand what each of
you are getting at.

Michael, I believe the text, which mandates implementations be
capable of protecting simple password authentication using TLS,
is supported by WG consensus.  Operational experience has shown,
that in absence of such mandates, implementations will not offer
adequate protective services.

Kurt

At 10:25 AM 3/9/2004, Hallvard B Furuseth wrote:
>Michael Ströder writes:
>>Kurt D. Zeilenga wrote:
>>> 
>>>  LDAP implementations SHOULD support the simple DN/password mechanism
>>>  of the simple Bind method (as detailed in Section X).
>> 
>> s/SHOULD/MUST/
>> 
>>>  Implementations
>>>  which support this mechanism MUST be capable of protecting it by
>>>  establishment (as discussed in Section 3) of TLS. 
>> 
>> s/MUST/SHOULD/
>
>Still wrong.  Together, these changes require implementations that do
>not support TLS, to implement a security hole.
>
>-- 
>Hallvard