[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: authmeth: removal of DIGEST-MD5

To: Roger Harrison <RHARRISON@novell.com>
Subject: Re: authmeth: removal of DIGEST-MD5
From: Howard Chu <hyc@highlandsun.com>
Date: Thu, 13 Oct 2005 12:19:33 -0700
Cc: ietf-ldapbis@OpenLDAP.org
In-reply-to: <434E57D0.DBA8.00BF.0@novell.com>
References: <434E57D0.DBA8.00BF.0@novell.com>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20050925 SeaMonkey/1.1a

Roger Harrison wrote:

Based on the comments to the WG over the past several days, I believe that authmeth should only reference DIGEST-MD5 in historical terms. The Simple Mechanism Security Considerations currently state:

"The name/password authentication mechanism of the simple Bind method discloses the password to the server, which is an inherent security risk. There are other mechanisms such as DIGEST-MD5 that do not disclose the password to the server."

I would like to replace this reference with DIGEST-MD5 with another mechanism (it does not need to be normative) that would not disclose the password to the server. Suggestions?

GSSAPI would probably be the next most recognizable choice. Just off the top of my head.

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/

Follow-Ups:
- Re: authmeth: removal of DIGEST-MD5
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

References:
- authmeth: removal of DIGEST-MD5
  - From: "Roger Harrison" <RHARRISON@novell.com>

Prev by Date: Re: authmeth: removal of DIGEST-MD5
Next by Date: Re: authmeth: removal of DIGEST-MD5
Index(es):
- Chronological
- Thread