[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: authmeth-15: mandatory-to-implement strong authentication

To: "Roger Harrison" <RHARRISON@novell.com>
Subject: Re: authmeth-15: mandatory-to-implement strong authentication
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Thu, 29 Sep 2005 09:51:49 -0700
Cc: <ietf-ldapbis@OpenLDAP.org>
In-reply-to: <4322D701.DBA8.00BF.0@novell.com>
References: <4322D701.DBA8.00BF.0@novell.com>

I believe WG consensus supports changing LDAP's
mandatory-to-implement "strong" authentication algorithm
from SASL/DIGEST-MD5 to StartTLS+simple(name/password).

Hence, I direct the Editor to make appropriate changes
to this draft to change the mandatory-to-implement
"strong" authentication mechanism to
StartTLS+simple(name/password).

-- Kurt, LDAPBIS co-chair

At 11:52 AM 9/10/2005, Roger Harrison wrote:

>There was considerable discussion at the IETF 63 meeting regarding recent research into challenge-response protocols (such as DIGEST-MD5) being vulnerable to off-line dictionary attacks (see <http://www3.ietf.org/proceedings/05aug/minutes/sasl.html>http://www3.ietf.org/proceedings/05aug/minutes/sasl.html and <http://www3.ietf.org/proceedings/05aug/slides/apparea-4/sld1.htm>http://www3.ietf.org/proceedings/05aug/slides/apparea-4/sld1.htm ). 
>
>One proposal was to recommend performing challenge-response authentication over TLS-protected connections.  If we moved this dirction, then requiring the use of DIGEST-MD5 security layers seems redundant. 
>
>What effect, if any, does this have on our use of DIGEST-MD5 as the mandatory-to-implement strong authentication mechanism for LDAP? 
>
>Roger

References:
- authmeth-15: mandatory-to-implement strong authentication
  - From: "Roger Harrison" <RHARRISON@novell.com>

Prev by Date: Re: [Gen-art] A *new* batch of IETF LC reviews - Sept 10th
Next by Date: I-D ACTION:draft-ietf-ldapbis-roadmap-08.txt
Index(es):
- Chronological
- Thread