[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: authmeth-15: mandatory-to-implement strong authentication
I believe WG consensus supports changing LDAP's
mandatory-to-implement "strong" authentication algorithm
from SASL/DIGEST-MD5 to StartTLS+simple(name/password).
Hence, I direct the Editor to make appropriate changes
to this draft to change the mandatory-to-implement
"strong" authentication mechanism to
StartTLS+simple(name/password).
-- Kurt, LDAPBIS co-chair
At 11:52 AM 9/10/2005, Roger Harrison wrote:
>There was considerable discussion at the IETF 63 meeting regarding recent research into challenge-response protocols (such as DIGEST-MD5) being vulnerable to off-line dictionary attacks (see <http://www3.ietf.org/proceedings/05aug/minutes/sasl.html>http://www3.ietf.org/proceedings/05aug/minutes/sasl.html and <http://www3.ietf.org/proceedings/05aug/slides/apparea-4/sld1.htm>http://www3.ietf.org/proceedings/05aug/slides/apparea-4/sld1.htm ).
>
>One proposal was to recommend performing challenge-response authentication over TLS-protected connections. If we moved this dirction, then requiring the use of DIGEST-MD5 security layers seems redundant.
>
>What effect, if any, does this have on our use of DIGEST-MD5 as the mandatory-to-implement strong authentication mechanism for LDAP?
>
>Roger