RE: Authentication Methods for LDAP - last call (mandatory CRAM-M D5)

[Chris Newman <Chris.Newman@INNOSOFT.COM>]

I'm afraid I don't consider HTTP digest a viable alternative to CRAM-MD5
at this time.

HTTP digest as per the current RFC is only marginally better than
CRAM-MD5. On the other hand, HTTP digest uses a hash function in a way
which may leak information about the password and prevents users from
being renamed which could be a serious flaw for LDAP since DNs are much
more likely to change than usernames.

Also, there is no internet-draft for an HTTP digest SASL mechanism.  The
CRAM-MD5 mechanism took two years to go from first draft to IESG approval.
Even with an extensive political push, I couldn't see a complete HTTP
digest SASL mechanism happening in fewer than 8 months.  I don't think we
want to delay interoperable LDAP update access that long.

Even a mechanism like SCRAM-MD5 which is significantly better that HTTP
digest and CRAM-MD5 and has been around over a year with multiple
implementations and review would probably take 6 months to get
IESG approval if we're lucky.

I'd (obviously) like a simple hash-based mechanism that's better than
CRAM-MD5, but I don't see it happening with the current security area
politics. 

I agree CRAM-MD5 is weak.  But it's so much better than unencrypted clear
text passwords that it's well worth deploying.

		- Chris