Re: Simple auth and TLS (Was: authmeth review notes [long])

[Michael Ströder <michael@stroeder.com>]

Kurt D. Zeilenga wrote:
> Michael, I believe the text, which mandates implementations be
> capable of protecting simple password authentication using TLS,
> is supported by WG consensus.  Operational experience has shown,
> that in absence of such mandates, implementations will not offer
> adequate protective services.

In principle I support the WG consensus that clear-text passwords have to be 
protected. And in most cases I'm in favour of protecting the LDAP connection 
instead of relying on trusted networks etc.

SHOULD seems strong enough to me to require TLS and there are various other 
means by which you can protect clear-text passwords transmitted which are 
outside this specification (e.g. IPsec, Unix domain socket, etc.). That's 
local security policy and the security issues should be made very clear but 
IMHO "MUST [..] TLS" is too strong here.

Ciao, Michael.