Re: Authentication Methods for LDAP - last call

[Mark Smith <mcs@netscape.com>]

I approve of adding text similar to what you propose, but it is too
restrictive to say that implementations MUST NOT use simple bind.  It is
okay to use simple bind in conjunction with TLS, isn't it?

--
Mark Smith
Directory Architect / Netscape Communications Corp.
My words are my own, not my employer's.  Got LDAP?


John C. Strassner wrote:
> 
> How about this:
> 
> In Section 6, Required Security Mechanisms, point 2:
> 
> Replace:
> 
>      (2)   Implementations providing password-based authenticated access
>            MUST support authentication using CRAM-MD5, as described in
>            section 8.1.  This provides client authentication with
>            protection against passive eavesdropping attacks, but does
>            not provide protection against active intermediary attacks.
> 
> with:
> 
>      (2)   Implementations providing secure authenticated access MUST
>            NOT use the "simple" password authentication choice, since
>            this sends text in the clear. Therefore, such implementations
>            MUST support some secure form of authentication. Two such
>            examples are CRAM-MD5 and certificates. CRAM-MD5, while being
>            a good choice for password-based systems, has scaling issues.
>            Thus, in a large-scale distributed system, a better alternative
>            would be to use certificates in conjunction with TLS. Note that
>            CRAM-MD5, as described in section 8.1, provides client
>            authentication with protection against passive eavesdropping
>            attacks, but does not provide protection against active
>            intermediary attacks. The certificate exchange system is
>            described in section 9.
> ...