[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: authmeth: removal of DIGEST-MD5

To: "Roger Harrison" <RHARRISON@novell.com>
Subject: Re: authmeth: removal of DIGEST-MD5
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Thu, 13 Oct 2005 12:07:17 -0700
Cc: <ietf-ldapbis@OpenLDAP.org>
In-reply-to: <434E57D0.DBA8.00BF.0@novell.com>
References: <434E57D0.DBA8.00BF.0@novell.com>

At 11:49 AM 10/13/2005, Roger Harrison wrote:

>Based on the comments to the WG over the past several days, I believe that authmeth should only reference DIGEST-MD5 in historical terms.  The Simple Mechanism Security Considerations currently state: 
>
>"The name/password authentication mechanism of the simple Bind method discloses the password to the server, which is an inherent security risk. There are other mechanisms such as DIGEST-MD5 that do not disclose the password to the server." 
>
>I would like to replace this reference with DIGEST-MD5 with another mechanism (it does not need to be normative) that would not disclose the password to the server. Suggestions? 

I'm fine with leaving this sentence in place as it doesn't
require a normative reference to DIGEST-MD5.

Follow-Ups:
- Re: authmeth: removal of DIGEST-MD5
  - From: Ludovic Poitou <Ludovic.Poitou@Sun.COM>

References:
- authmeth: removal of DIGEST-MD5
  - From: "Roger Harrison" <RHARRISON@novell.com>

Prev by Date: authmeth: removal of DIGEST-MD5
Next by Date: Re: authmeth: removal of DIGEST-MD5
Index(es):
- Chronological
- Thread