[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authlevel in LDAP ACI

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: Authlevel in LDAP ACI
From: Ellen Stokes <stokes@austin.ibm.com>
Date: Wed, 19 Apr 2000 03:36:01 -0500
Cc: "Volpers, Helmut" <helmut.volpers@icn.siemens.de>, ietf-ldapext-acm@OpenLDAP.org
In-reply-to: <3.0.5.32.20000419073641.009ea880@infidel.boolean.net>
References: <4.2.2.20000418204043.00a2c830@popmail2.austin.ibm.com> <E1EB691EEC98D311A7CC0050DA3D835708BC12@pappel.mch.sni.de>

Kurt,

I see your point.  But, then "strong'' is in the eye of the beholder.
The point of digest-md5 was to limit some security holes in
authentication.

What do others think?

Ellen

At 07:36 AM 4/19/00 +0200, Kurt D. Zeilenga wrote:

At 08:45 PM 4/18/00 -0500, Ellen Stokes wrote: >Here's a sketchy BNF for incorporating authentication strength >and mechanism per today's discussion. > >< ldapACI > ::= < acl entry syntax > > >< acl entry syntax > ::= <familyOID> + '#' + <scope > + '#' > + < rights > + '#' + < dnType > > + < authLevel > + '#' + < subjectDn > > >< authLevel > ::= "none" | "simple" | <strong> > >< strong > ::= "strong" | < SASLauth > > >< SASLauth > ::= "SASL" + ':' + < SASLmech > > >< SASLmech > ::= "EXTERNAL" | "DIGEST-MD5" | "KERBEROS-ID" |< printableString
KERBEROS-ID is not a SASL mechanism, it's a form of authorization
(access) identity.
>
>Assumption here is that anything other than none or simple is strong and
>strong can
>be specified as strong (any other mechanism) or an explicit mechanism.
This use of "strong" is misleading.  Simple authentication when
solid privacy and integrity are in place (ala TLS, IPSEC) is
actually stronger than DIGEST-MD5 without such protections.

References:
- Re: Authlevel in LDAP ACI
  - From: Ellen Stokes <stokes@austin.ibm.com>
- Re: Authlevel in LDAP ACI
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: Authlevel in LDAP ACI
Next by Date: Re: ldapACI permissions for ldap_modify (write)
Index(es):
- Chronological
- Thread