[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Digest Authentication over TLS

To: Frank Siebenlist <frank@dascom.com>, IETF LDAP Extensions WG <ietf-ldapext@netscape.com>
Subject: Re: Digest Authentication over TLS
From: Erik Skovgaard <eskovgaard@geotrain.com>
Date: Thu, 08 Oct 1998 11:56:13 -0700
In-reply-to: <361A8DBD.FA4B9DD2@dascom.com>
Resent-date: Thu, 08 Oct 1998 10:38:17 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"dzusg.0.NN1.6YF7s"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Frank,

I don't think we should go back and change the LDAP v3 spec.  We'd never
get done that way.  We are trying to complete the spec as per IESG
requirements.

That being said, I could see some environments where a plaintext password
would suffice.  For instance, in an IP Sec environment or on a PPP link.
It is a nice simple thing to implement and I don't think we should remove
that option for the sake of the implementers.

Cheers,              ....Erik.

-----------------------------------------
Erik Skovgaard
GeoTrain Corp.
Enterprise Directory Training and Consulting
http://www.geotrain.com
+1 (604) 244-9131

At 14:38 06/10/98 -0700, Frank Siebenlist wrote:
>Now that a compromise is almost reached about the authentication methods,
it's maybe a good time to stir things up a bit ;-)
>
>If Digest/SASL is to be the Mandatory-to-Implement non-plaintext password
mechanism, why do we need any plaintext password mechanism at all?
>
>Guess that most will agree that it's not a good idea to send out passwords
at all, even if they are encrypted going through the SSL channel. 
>
>The idea is to use the same Digest Authentication scheme instead of
plaintext passwords over TLS as the more secure, heavy-weight
authentication scheme.
>
>Furthermore, if there is that mandatory Digest/SASL implementation, with
all its algorithms and password-file equivalent table of hashed user info,
then the additional implementation of a table with plain-text passwords
does seem double work and maintenance. 
>Especially when you will allow users to come in through both mechanisms.
How are these accounts and passwords synchronized?
>
>Believe we would need an additional SASL mechanism for Digest-TLS/SASL.
>
>Is it too late to consider this option?
>
>-Frank.
>
>-- 
>Frank Siebenlist              DASCOM, Inc. 
>Chief Architect               3004 Mission Street
>Email: frank@dascom.com       Santa Cruz, CA 95060, USA
>Phone: +1 831/460-3600        Fax: +1 831/460-0255
>
>
>

References:
- Digest Authentication over TLS
  - From: Frank Siebenlist <frank@dascom.com>

Prev by Date: Re: LDAP Observation
Next by Date: Re: Compromise Authentication Proposal
Index(es):
- Chronological
- Thread