[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authentication Methods for LDAP - last call

To: howes@netscape.com (Tim Howes), Steve Kille <S.Kille@isode.com>
Subject: Re: Authentication Methods for LDAP - last call
From: "John C. Strassner" <johns@cisco.com>
Date: Sat, 01 Aug 1998 11:31:34 -0700
Cc: Mark Wahl <M.Wahl@INNOSOFT.COM>, ietf-ldapext@netscape.com
In-reply-to: <35C350F7.30A62279@netscape.com>
References: <SIMEON.9808011204.B@muahost.isode.com>
Resent-date: Sat, 01 Aug 1998 11:28:35 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"Ok1F21.0._d1.Gvrmr"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

How about this:

In Section 6, Required Security Mechanisms, point 2:

Replace:

     (2)   Implementations providing password-based authenticated access
           MUST support authentication using CRAM-MD5, as described in 
           section 8.1.  This provides client authentication with 
           protection against passive eavesdropping attacks, but does
           not provide protection against active intermediary attacks.

with:

     (2)   Implementations providing secure authenticated access MUST
           NOT use the "simple" password authentication choice, since
           this sends text in the clear. Therefore, such implementations
           MUST support some secure form of authentication. Two such
           examples are CRAM-MD5 and certificates. CRAM-MD5, while being
           a good choice for password-based systems, has scaling issues.
           Thus, in a large-scale distributed system, a better alternative
           would be to use certificates in conjunction with TLS. Note that
           CRAM-MD5, as described in section 8.1, provides client
           authentication with protection against passive eavesdropping
           attacks, but does not provide protection against active
           intermediary attacks. The certificate exchange system is
           described in section 9.

regards,
John

At 10:31 AM 8/1/98 -0700, Tim Howes wrote:
>The whole reason for this document is to make one mechanism
>mandatory, so that implementations have some guarantee of
>interoperability. Aside from being a good idea, this constraint
>has been clearly imposed by the IESG. So, you could argue
>that we've chosen the wrong mandatory mechanism, and that
>we should have chosen an X.509-based mechanism to be
>mandatory. That was considered and rejected as too high
>an implementation burden. Given this background, and these
>constraints, do you have any suggestions on how to improve
>this document?                               -- Tim
>
>Steve Kille wrote:
>
>> Mark,
>>
>> I agree with all of this.   CRAM-MD5 is a good shared
>> secret mechanism, better than plain text password, and
>> suitable for some LDAP deployment.
>>
>> I think that X.509 (assymetric key) mechanisms, such as
>> the one you describe are going to be suitable for a lot of
>> other environments.
>>
>> My objection is to making CRAM-MD5 MANDATORY, when it is
>> so clearly unsuitable for a lot of types of LDAP deployment.
>>
>> Steve
>
>
>
>
>

Follow-Ups:
- Re: Authentication Methods for LDAP - last call
  - From: Mark Smith <mcs@netscape.com>
- Re: Authentication Methods for LDAP - last call
  - From: Steve Kille <S.Kille@isode.com>
- Re: Authentication Methods for LDAP - last call
  - From: Mark Wahl <M.Wahl@INNOSOFT.COM>

References:
- Re: Authentication Methods for LDAP - last call
  - From: Steve Kille <S.Kille@isode.com>
- Re: Authentication Methods for LDAP - last call
  - From: howes@netscape.com (Tim Howes)

Prev by Date: Re: Authentication Methods for LDAP - last call
Next by Date: Re: Authentication Methods for LDAP - last call
Index(es):
- Chronological
- Thread