[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: authmeth-15: mandatory-to-implement strong authentication
Roger,
I get the impression from this mesage that the SASL DIGEST-MD5 security
layers are being proposed as mandatory to implement in authmeth. It was
my understanding that only the SASL DIGEST-MD5 authentication mechanism
was to be mandatory to implement. If we are going to require a mandatory
to implement security layer in authmeth then I think it should be
startTLS not SASL DIGEST-MD5 as, in my experience, startTLS is far more
common in both client and server implementations. Then, if we have a
mandatory to implement security layer, it removes the need for a
challenge response autentication method being mandatory to implement as
the IESG security requirements are met by simple authentication over TLS.
- Mark.
Roger Harrison wrote:
There was considerable discussion at the IETF 63 meeting regarding
recent research into challenge-response protocols (such as DIGEST-MD5)
being vulnerable to off-line dictionary attacks (see
_/http://www3.ietf.org/proceedings/05aug/minutes/sasl.html/_ and
_/http://www3.ietf.org/proceedings/05aug/slides/apparea-4/sld1.htm/_ ).
One proposal was to recommend performing challenge-response
authentication over TLS-protected connections. If we moved this
dirction, then requiring the use of DIGEST-MD5 security layers seems
redundant.
What effect, if any, does this have on our use of DIGEST-MD5 as the
mandatory-to-implement strong authentication mechanism for LDAP?
Roger