|
Kurt,
I've made this change to the requirements section of authmeth. The next question is what to do with section 10 (SASL DIGEST-MD5 Authentication Mechanism). Should we remove it from the ldapbis specification and allow it to be referenced as part of RFC 2829, or should I leave it in the ldapbis specification for informational purposes?
Roger
>>> "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> 9/29/2005 10:51:49 am >>> I believe WG consensus supports changing LDAP's mandatory-to-implement "strong" authentication algorithm from SASL/DIGEST-MD5 to StartTLS+simple(name/password). Hence, I direct the Editor to make appropriate changes to this draft to change the mandatory-to-implement "strong" authentication mechanism to StartTLS+simple(name/password). -- Kurt, LDAPBIS co-chair At 11:52 AM 9/10/2005, Roger Harrison wrote: >There was considerable discussion at the IETF 63 meeting regarding recent research into challenge-response protocols (such as DIGEST-MD5) being vulnerable to off-line dictionary attacks (see <http://www3.ietf.org/proceedings/05aug/minutes/sasl.html>http://www3.ietf.org/proceedings/05aug/minutes/sasl.html and <http://www3.ietf.org/proceedings/05aug/slides/apparea-4/sld1.htm>http://www3.ietf.org/proceedings/05aug/slides/apparea-4/sld1.htm ). > >One proposal was to recommend performing challenge-response authentication over TLS-protected connections. If we moved this dirction, then requiring the use of DIGEST-MD5 security layers seems redundant. > >What effect, if any, does this have on our use of DIGEST-MD5 as the mandatory-to-implement strong authentication mechanism for LDAP? > >Roger |