[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: userPassword question

To: Mark Smith <mcs@netscape.com>
Subject: Re: userPassword question
From: Chris Newman <Chris.Newman@INNOSOFT.COM>
Date: Wed, 29 Jul 1998 17:10:49 -0700 (PDT)
Cc: 'IETF LDAP Extensions WG' <ietf-ldapext@netscape.com>
In-reply-to: <35BF8103.F03C2AC2@netscape.com>
Resent-date: Wed, 29 Jul 1998 17:11:00 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"3M9Mc3.0.IJ7.Aexlr"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

On Wed, 29 Jul 1998, Mark Smith wrote:
> client.  Bottom line: clients should always present passwords in clear
> text.

Mark, you have no idea how tempted I am to use that quote in a signature
line when posting to some IETF security related WGs.  :-)  But I'll be
good.

FYI, my technical opinion is:

All clients and servers MUST implement a fast authentication mechanism
which does not send the password in the clear and does not use encryption. 
All clients and servers SHOULD implement an authentication mechanism which
sends a clear text password under strong encryption.  All clients and
servers MUST be configurable to never send or accept an unencrypted clear
text password.

I expect the argument between these two philosophies will be very
interesting. 

		- Chris

References:
- Re: userPassword question
  - From: Mark Smith <mcs@netscape.com>

Prev by Date: Re: LDAP extension draft for GSSAPI protection of session data
Next by Date: RE: comments on draft-ietf-ldapext-ldapv3-tls-01.txt
Index(es):
- Chronological
- Thread