[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Authentication Methods for LDAP - last call

To: 'Bruce Greenblatt' <Bgreenblatt@rsa.com>, Tim Howes <howes@netscape.com>, ietf-ldapext@netscape.com
Subject: RE: Authentication Methods for LDAP - last call
From: Paul Leach <paulle@microsoft.com>
Date: Wed, 12 Aug 1998 17:30:44 -0700
Resent-date: Wed, 12 Aug 1998 17:30:58 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"EdiTT3.0.TI2.0FZqr"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

The statement

"This provides client authentication with protection against passive
eavesdropping attacks, but does not provide protection against active
intermediary attacks."

is incorrect. It provides somewhat more protection than base64 encoding the
password, but leaves it susceptible to chosen plaintext attacks and hence
precomputed dictionary attacks and batch brute force attacks -- all of which
are passive eavesdropping attacks.

I posted a proposed substitute section 8.1, using Digest instead of
CRAM-MD5. It would permit shared authentication logic and authentication
databases between HTTP and LDAP -- a BIG win, IMHO.

Paul

Follow-Ups:
- RE: Authentication Methods for LDAP - last call
  - From: Chris Newman <Chris.Newman@INNOSOFT.COM>

Prev by Date: call for LDAPEXT agenda items
Next by Date: Aggressive Inline and your Teenage Market!
Index(es):
- Chronological
- Thread