[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: authmeth: removal of DIGEST-MD5

To: Roger Harrison <RHARRISON@novell.com>
Subject: Re: authmeth: removal of DIGEST-MD5
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Thu, 13 Oct 2005 21:27:07 +0200
Cc: ietf-ldapbis@OpenLDAP.org
In-reply-to: <434E57D0.DBA8.00BF.0@novell.com>
References: <434E57D0.DBA8.00BF.0@novell.com>

Roger Harrison writes:
> Based on the comments to the WG over the past several days, I believe
> that authmeth should only reference DIGEST-MD5 in historical terms.

You should probably keep much of the DIGEST-MD5 text on authmeth-15
page 16 and generalize it to talk about SASL.

> The Simple Mechanism Security Considerations currently state:
>
> The name/password authentication mechanism of the simple Bind method
> discloses the password to the server, which is an inherent security
> risk. There are other mechanisms such as DIGEST-MD5 that do not disclose
> the password to the server.
>
> I would like to replace this reference with DIGEST-MD5 with another
> mechanism (it does not need to be normative) that would not disclose
> the password to the server.  Suggestions?

CRAM-MD5 seems to be the only alternative mechanism which is widely
enough deployed to suggest now.  That mechanism apparently has its own
problems, though.  So I suggest to keep the DIGEST-MD5 reference.

-- 
Hallvard

Follow-Ups:
- Re: authmeth: removal of DIGEST-MD5
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: authmeth: removal of DIGEST-MD5
  - From: Howard Chu <hyc@highlandsun.com>
- Re: authmeth: removal of DIGEST-MD5
  - From: "Roger Harrison" <RHARRISON@novell.com>

References:
- authmeth: removal of DIGEST-MD5
  - From: "Roger Harrison" <RHARRISON@novell.com>

Prev by Date: Re: authmeth: removal of DIGEST-MD5
Next by Date: Re: authmeth: removal of DIGEST-MD5
Index(es):
- Chronological
- Thread