[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Digest Authentication over TLS
Frank Siebenlist wrote:
>
> Now that a compromise is almost reached about the authentication methods, it's
> maybe a good time to stir things up a bit ;-)
>
> If Digest/SASL is to be the Mandatory-to-Implement non-plaintext password
> mechanism, why do we need any plaintext password mechanism at all?
>
> Guess that most will agree that it's not a good idea to send out passwords
> at all, even if they are encrypted going through the SSL channel.
>
> The idea is to use the same Digest Authentication scheme instead of
> plaintext passwords over TLS as the more secure, heavy-weight authentication
> scheme.
Sending clear text passwords over TLS has some advantages:
1) Servers can store a true, non-reversible one-way hash of just the
password instead of storing the password in the clear or something
nearly equivalent (as required by SASL/Digest).
2) Fewer protocol exchanges are needed.
> Furthermore, if there is that mandatory Digest/SASL implementation, with
> all its algorithms and password-file equivalent table of hashed user info,
> then the additional implementation of a table with plain-text passwords
> does seem double work and maintenance.
> Especially when you will allow users to come in through both mechanisms.
> How are these accounts and passwords synchronized?
This is definitely an issue, but we have a lot of authentication schemes
and not all of them play well together. If a server stores the clear
text password it can support both clear over TLS and SASL/Digest without
any problem. If it stores a one-way hash of just the password, that
same value can't be used to support SASL/Digest. If it stores the MD5
hash of user/realm/password suggested by the SASL/Digest draft, clear
text over TLS will still work since the server can perform the
appropriate check (the hash only includes information the server
presumably knows already).
--
Mark Smith
Directory Architect / Netscape Communications Corp.
My words are my own, not my employer's. Got LDAP?