Re: Simple auth and TLS (Was: authmeth review notes [long])

["RL 'Bob' Morgan" <rlmorgan@washington.edu>]

On Wed, 10 Mar 2004, Michael Ströder wrote:

> SHOULD seems strong enough to me to require TLS and there are various
> other means by which you can protect clear-text passwords transmitted
> which are outside this specification (e.g. IPsec, Unix domain socket,
> etc.). That's local security policy and the security issues should be
> made very clear but IMHO "MUST [..] TLS" is too strong here.

IETF standard protocol documents describe (and constrain) the behavior of
implementations, as Kurt wrote:

> > Michael, I believe the text, which mandates implementations be
> > capable of protecting simple password authentication using TLS,

The choice of using IPsec, etc, as you suggest, is a deployment-time
choice, and our documents generally say nothing about what deployers can
or should do.  But the requirement, for which MUST is I think entirely
appropriate, for *implementations* of LDAPv3 is that they must *be
capable* of using TLS, if they do password authentication.

 - RL "Bob"