[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: draft minutes from Chicago meeting

To: ietf-ldapext@netscape.com, phil%jade@wg.icl.co.uk
Subject: Re: draft minutes from Chicago meeting
From: Ed Reed <ED_REED@novell.com>
Date: Wed, 30 Sep 1998 10:06:05 -0600
Content-disposition: inline
Resent-date: Wed, 30 Sep 1998 09:50:20 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"Vu8Ue2.0.Of6.45c4s"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Sorry, no.  The Mandatory to implement mechanism involving TLS does not,
I believe, require there to be any such user certificate.  Rather, startTLS
simply indicates that the transport stream over which LDAP protocol data
units are sent and received be switched onto a  confidential (anonymous) 
connection provided by TLS, over which a simple bind (including user
id and password) may be sent.  The TLS provides anonymous confidentiality
and ongoing connection data integrity, and nothing more...

or am I mistaken?

----------------------
Ed Reed, Technologist
Novell, Inc.
+1 801 861-3320

>>> "Phil Pinkerton" <phil%jade@wg.icl.co.uk> 09/30/1998 01:46:40 >>>
Surely making TLS mandatory to implement as a SASL authentication mechanism
implies that if this is all the server supports then all human clients
wishing to be strongly authenticated must have a certificate (and private
key) which, although maybe a future expectation, certainly isn't the case
today.

I suspect that most human clients today would be happy with an encrypted
password technique like CRAM-MD5 to provide strong authentication.  This
could be combined with an encrypted, but not client authenticated, TLS
session if full data confidentiality and integrity is required.  Therefore,
I would suggest that CRAM-MD5 (or its equivalent) is a more realistic SASL
mechanism to mandate in real-world terms.

Phil Pinkerton, ICL

Prev by Date: Access Controls - a suggested change to X.500
Next by Date: RE: draft minutes from Chicago meeting
Index(es):
- Chronological
- Thread