[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: authmeth: removal of DIGEST-MD5

To: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Subject: Re: authmeth: removal of DIGEST-MD5
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Thu, 13 Oct 2005 12:54:31 -0700
Cc: Roger Harrison <RHARRISON@novell.com>, ietf-ldapbis@OpenLDAP.org
In-reply-to: <hbf.20051013n33g@bombur.uio.no>
References: <434E57D0.DBA8.00BF.0@novell.com> <hbf.20051013n33g@bombur.uio.no>

At 12:27 PM 10/13/2005, Hallvard B Furuseth wrote:
>CRAM-MD5 seems to be the only alternative mechanism which is widely
>enough deployed to suggest now.  That mechanism apparently has its own
>problems, though.  So I suggest to keep the DIGEST-MD5 reference. 

I note that while CRAM-MD5 and DIGEST-MD5 don't expose the
actual password, they do expose a hash of that password that
is quite prone to offline dictionary attacks.  I'd argue
that you need to be just as careful as to whom you give
that hash to as you are giving out the actual password.

Kurt

Follow-Ups:
- Re: authmeth: removal of DIGEST-MD5
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: authmeth: removal of DIGEST-MD5
  - From: "Roger Harrison" <RHARRISON@novell.com>

References:
- authmeth: removal of DIGEST-MD5
  - From: "Roger Harrison" <RHARRISON@novell.com>
- Re: authmeth: removal of DIGEST-MD5
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: Re: authmeth: removal of DIGEST-MD5
Next by Date: Re: authmeth-15 notes
Index(es):
- Chronological
- Thread