[Date Prev][Date Next]
Re: Simple auth and TLS (Was: authmeth review notes [long])
Kurt D. Zeilenga writes:
>At 10:25 AM 3/9/2004, Hallvard B Furuseth wrote:
>>Michael Ströder writes:
>>>Kurt D. Zeilenga wrote:
>>>> LDAP implementations SHOULD support the simple DN/password mechanism
>>>> of the simple Bind method (as detailed in Section X).
>>>> which support this mechanism MUST be capable of protecting it by
>>>> establishment (as discussed in Section 3) of TLS.
>>Still wrong. Together, these changes require implementations that do
>>not support TLS, to implement a security hole.
> Which security hole you refer to here?
Simple bind with an unprotected cleartext password. But I should have
said, implementations will be required to _support_ a security hole.
They don't have to activate it. Unfortunately, one can trust some users
to activate it, and some server admins to allow such binds.