Re: authmeth-15: mandatory-to-implement strong authentication

[Mark Ennis <mark.ennis@eb2bcom.com>]

Roger,

I get the impression from this mesage that the SASL DIGEST-MD5 security 
layers are being proposed as mandatory to implement in authmeth. It was 
my understanding that only the SASL DIGEST-MD5 authentication mechanism 
was to be mandatory to implement. If we are going to require a mandatory 
to implement security layer in authmeth then I think it should be 
startTLS not SASL DIGEST-MD5 as, in my experience, startTLS is far more 
common in both client and server implementations. Then, if we have a 
mandatory to implement security layer, it removes the need for a 
challenge response autentication method being mandatory to implement as 
the IESG security requirements are met by simple authentication over TLS.

- Mark.

Roger Harrison wrote:
> There was considerable discussion at the IETF 63 meeting regarding 
> recent research into challenge-response protocols (such as DIGEST-MD5) 
> being vulnerable to off-line dictionary attacks (see 
> _/http://www3.ietf.org/proceedings/05aug/minutes/sasl.html/_ and 
> _/http://www3.ietf.org/proceedings/05aug/slides/apparea-4/sld1.htm/_ ).
>
> One proposal was to recommend performing challenge-response 
> authentication over TLS-protected connections.  If we moved this 
> dirction, then requiring the use of DIGEST-MD5 security layers seems 
> redundant.
>
> What effect, if any, does this have on our use of DIGEST-MD5 as the 
> mandatory-to-implement strong authentication mechanism for LDAP?
>
> Roger