[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: authmeth-02 && (Digest | CRAM-MD5)?

To: Jeff.Hodges@Stanford.EDU
Subject: Re: authmeth-02 && (Digest | CRAM-MD5)?
From: Chris Newman <Chris.Newman@INNOSOFT.COM>
Date: Fri, 04 Sep 1998 12:22:24 -0700 (PDT)
Cc: ietf-sasl@imc.org, ietf-ldapext@netscape.com
In-reply-to: <199809041606.JAA02196@Wind.Stanford.EDU>
Resent-date: Fri, 04 Sep 1998 19:26:46 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"B0Cgd3.0.2z3.a5Ayr"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Some observations:

It is very desirable to use the same password backend and authentication
source code for mail/news, directory and web services due to the large
number of products which combine two or more of these services.  This is
easiest to achieve if there is a common mandatory-to-implement baseline
mechanism. It is my understanding that the web community is committed to
the new HTTP digest mechanism.  The mail/news and directory areas aren't
firmly committed to a specific solution yet although there has been
significant movement in the direction of CRAM-MD5 because it's there.

CRAM-MD5 (and APOP and CHAP and the RFC 2069 HTTP-DIGEST) all lack a
client nonce.  This means a rogue server can easily get the password (with
a known plaintext attack) if an incautious client tries to authenticate to
that server.  It's my understanding that the number of clients which will
fall in the "incautious" class may be high.  I don't consider this attack
damning, but it happens to be easy to create a demonstration and use that
to rake a vendor over the coals.

Most people don't see CRAM-MD5 as the best choice for a baseline mechanism
in the long term even though it's much better than clear text.  It's
missing too many useful operational security features.

Conclusions I got from various meetings:

Paul and I will try to come up with an HTTP-digest based SASL mechanism
that's "good enough" operationally to be a mandatory-to-implement baseline
authentication mechanism.  The meeting I had with Paul went well -- I
think the result will be good. 

The current drafts that are nearing last call and need a 
mandatory-to-implement mechanism are:

	LDAP authentication
	NNTP authentication
	On-demand SMTP

We've got informal agreements to hold these drafts for two weeks for the
HTTP-digest based alternative.  Assuming the HTTP-digest based alternative
is issued promptly and it's acceptable to the LDAPEXT WG, it will be last
called along with the LDAP authentication spec.  If the HTTP-digest based
alternative starts causing undue delay in the standards process, then
CRAM-MD5 is the fallback choice. 

		- Chris

References:
- authmeth-02 && (Digest | CRAM-MD5)?
  - From: Jeff.Hodges@Stanford.edu

Prev by Date: Status of ldapext-authmeth-02 & ldapext-ldapv3-tls-02
Next by Date: Re: updated Signed Directory Operations Draft <draft-ietf-ldapext
Index(es):
- Chronological
- Thread