[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Authentication Methods for LDAP - last call
Mark,
when I read StartTLS, it seemed like: 1) client authentication was
optionally required and 2) if the client had already authenticated,
then StartTLS would not change it. To wit:
From section 6.1.1 of StartTLS (Default Effects):
Upon establishment of the TLS connection onto the LDAP association, any
previously established authentication and authorization identities MUST
remain in force, including anonymous state. This holds even in the case
where the server requests client authentication via TLS...
That being said, perhaps the best of all worlds is to make it even more
explicit as follows:
(2) Implementations providing secure authenticated access MUST
NOT use the "simple" password authentication choice, since
this sends text in the clear, unless a secure channel with
some method of secure authentication has already been
established. An example of this is described in the
StartTLS draft.
(then the rest of the original paragraph, included here for simplicity):
Therefore, such implementations MUST support some secure form
of authentication. Two such examples are CRAM-MD5 and
certificates. CRAM-MD5, while being a good choice for
password-based systems, has scaling issues. Thus, in a
large-scale distributed system, a better alternative would
be to use certificates in conjunction with TLS. Note that
CRAM-MD5, as described in section 8.1, provides client
authentication with protection against passive eavesdropping
attacks, but does not provide protection against active
intermediary attacks. The certificate exchange system is
described in section 9.
Does this help?
regards,
John
At 02:20 PM 8/1/98 -0700, Mark Smith wrote:
>I approve of adding text similar to what you propose, but it is too
>restrictive to say that implementations MUST NOT use simple bind. It is
>okay to use simple bind in conjunction with TLS, isn't it?
>
>--
>Mark Smith
>Directory Architect / Netscape Communications Corp.
>My words are my own, not my employer's. Got LDAP?
>
>
>John C. Strassner wrote:
>>
>> How about this:
>>
>> In Section 6, Required Security Mechanisms, point 2:
>>
>> Replace:
>>
>> (2) Implementations providing password-based authenticated access
>> MUST support authentication using CRAM-MD5, as described in
>> section 8.1. This provides client authentication with
>> protection against passive eavesdropping attacks, but does
>> not provide protection against active intermediary attacks.
>>
>> with:
>>
>> (2) Implementations providing secure authenticated access MUST
>> NOT use the "simple" password authentication choice, since
>> this sends text in the clear. Therefore, such implementations
>> MUST support some secure form of authentication. Two such
>> examples are CRAM-MD5 and certificates. CRAM-MD5, while being
>> a good choice for password-based systems, has scaling issues.
>> Thus, in a large-scale distributed system, a better alternative
>> would be to use certificates in conjunction with TLS. Note that
>> CRAM-MD5, as described in section 8.1, provides client
>> authentication with protection against passive eavesdropping
>> attacks, but does not provide protection against active
>> intermediary attacks. The certificate exchange system is
>> described in section 9.
>> ...
>
>