[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Authentication Methods for LDAP - last call (mandatory CRAM-M D5)
Now that I reread authmeth-02, I don't think that there is a controversy
here (unless there is a authmeth-03 that has lots of changes). Clause 6
defines the required security mechanisms. In reference to CRAM-MD5 it
states:
"Implementations providing password-based authenticated access MUST support
authentication using CRAM-MD5, as described in section 8.1."
Clause 6 definitely does not state that all LDAP Servers must support
CRAM-MD5. This clause also notes that password based mechanisms do not
necessarily protect against "Active intermediary attacks". Paul made this
point clear in an earlier note. To provide extra protection in these
hostile waters, Clause 6 further states:
"For a directory needing session protection and authentication, The Start
TLS extended operation, and either
the simple authentication choice or the SASL EXTERNAL mechanism, are to be
used together."
Unless I'm missing something (like a later draft) this already says what
Paul wants. I think that there was agreement to mention Kerberos v5 and
X.509 specifically. Clause 6 subsection (3) seems like a good place.
I'm glad that I took the time to go back and reread this draft. The
author's should be commended on a well organized, well thought out document.
Bruce
> -----Original Message-----
> From: Paul Leach [SMTP:paulle@microsoft.com]
> Sent: Wednesday, August 05, 1998 5:56 PM
> To: 'Chris Newman'
> Cc: 'ietf-ldapext@netscape.com'
> Subject: RE: Authentication Methods for LDAP - last call (mandatory
> CRAM-M D5)
>
> We can deploy Digest in the same time frame as CRAM-MD5. It's deployment
> that counts -- perfect undeployed protocols do not increase security. And
> mandatory-to-inmplement weak deployed protocols decrease security if there
> are better alternatives available in the same time frame.
>
> Since what seems to be the problem here is politics, why not make TLS the
> mandatory-to-implement?
>
> Paul