[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: draft minutes from Chicago meeting
Sorry, no. The Mandatory to implement mechanism involving TLS does not,
I believe, require there to be any such user certificate. Rather, startTLS
simply indicates that the transport stream over which LDAP protocol data
units are sent and received be switched onto a confidential (anonymous)
connection provided by TLS, over which a simple bind (including user
id and password) may be sent. The TLS provides anonymous confidentiality
and ongoing connection data integrity, and nothing more...
or am I mistaken?
----------------------
Ed Reed, Technologist
Novell, Inc.
+1 801 861-3320
>>> "Phil Pinkerton" <phil%jade@wg.icl.co.uk> 09/30/1998 01:46:40 >>>
Surely making TLS mandatory to implement as a SASL authentication mechanism
implies that if this is all the server supports then all human clients
wishing to be strongly authenticated must have a certificate (and private
key) which, although maybe a future expectation, certainly isn't the case
today.
I suspect that most human clients today would be happy with an encrypted
password technique like CRAM-MD5 to provide strong authentication. This
could be combined with an encrypted, but not client authenticated, TLS
session if full data confidentiality and integrity is required. Therefore,
I would suggest that CRAM-MD5 (or its equivalent) is a more realistic SASL
mechanism to mandate in real-world terms.
Phil Pinkerton, ICL