Re: Simple auth and TLS (Was: authmeth review notes [long])

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 12:48 AM 3/10/2004, RL 'Bob' Morgan wrote:
>The choice of using IPsec, etc, as you suggest, is a deployment-time
>choice, and our documents generally say nothing about what deployers can
>or should do.  But the requirement, for which MUST is I think entirely
>appropriate, for *implementations* of LDAPv3 is that they must *be
>capable* of using TLS, if they do password authentication. 

In a previous note in response to Hallvard, I had noted that it
likely was fine to add ""or other suitable means (e.g., IPSec)".
However, I now have to retract this.  I agree with you that
we need to place a requirement upon the implementation to
provide adequate protection and the only suitable protective
service to mandate here is TLS.

Kurt