There was considerable discussion at the IETF 63 meeting regarding recent research into challenge-response protocols (such as DIGEST-MD5) being vulnerable to off-line dictionary attacks (see http://www3.ietf.org/proceedings/05aug/minutes/sasl.html and http://www3.ietf.org/proceedings/05aug/slides/apparea-4/sld1.htm ).
One proposal was to recommend performing challenge-response authentication over TLS-protected connections. If we moved this dirction, then requiring the use of DIGEST-MD5 security layers seems redundant.
What effect, if any, does this have on our use of DIGEST-MD5 as the mandatory-to-implement strong authentication mechanism for LDAP?
Roger