[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Simple auth and TLS (Was: authmeth review notes [long])

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: Simple auth and TLS (Was: authmeth review notes [long])
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Tue, 9 Mar 2004 19:48:48 +0100
Cc: Michael Ströder <michael@stroeder.com>, ietf-ldapbis@OpenLDAP.org
In-reply-to: <6.0.1.1.0.20040309103506.0500ef50@127.0.0.1>
References: <6.0.1.1.0.20040227070642.04cd3330@127.0.0.1> <40436D07.2090008@stroeder.com> <HBF.20040309576@bombur.uio.no> <6.0.1.1.0.20040309103506.0500ef50@127.0.0.1>

Kurt D. Zeilenga writes:
>At 10:25 AM 3/9/2004, Hallvard B Furuseth wrote:
>>Michael Ströder writes:
>>>Kurt D. Zeilenga wrote:
>>>> 
>>>>  LDAP implementations SHOULD support the simple DN/password mechanism
>>>>  of the simple Bind method (as detailed in Section X).
>>> 
>>> s/SHOULD/MUST/
>>> 
>>>>  Implementations
>>>>  which support this mechanism MUST be capable of protecting it by
>>>>  establishment (as discussed in Section 3) of TLS. 
>>> 
>>> s/MUST/SHOULD/
>>
>>Still wrong.  Together, these changes require implementations that do
>>not support TLS, to implement a security hole.
> 
> Which security hole you refer to here?

Simple bind with an unprotected cleartext password.  But I should have
said, implementations will be required to _support_ a security hole.
They don't have to activate it.  Unfortunately, one can trust some users
to activate it, and some server admins to allow such binds.

-- 
Hallvard

References:
- Re: authmeth review notes [long]
  - From: Michael Ströder <michael@stroeder.com>
- Simple auth and TLS (Was: authmeth review notes [long])
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: Simple auth and TLS (Was: authmeth review notes [long])
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: authmeth: passwords in the clear
Next by Date: Re: Simple auth and TLS (Was: authmeth review notes [long])
Index(es):
- Chronological
- Thread