[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: authmeth: removal of DIGEST-MD5
Roger Harrison wrote:
Based on the comments to the WG over the past several days, I believe
that authmeth should only reference DIGEST-MD5 in historical terms. The
Simple Mechanism Security Considerations currently state:
"The name/password authentication mechanism of the simple Bind method
discloses the password to the server, which is an inherent security
risk. There are other mechanisms such as DIGEST-MD5 that do not disclose
the password to the server."
I would like to replace this reference with DIGEST-MD5 with another
mechanism (it does not need to be normative) that would not disclose the
password to the server. Suggestions?
GSSAPI would probably be the next most recognizable choice. Just off the
top of my head.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/