[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RFC2256: userPassword
RFC2256 5.36 userPassword says "Passwords are stored using an
Octet String syntax and are not encrypted." However, it's
common practice to store "encrypted" passwords in userPassword
using a mechanism derived from RFC2307 (ie: userPassword: {method}hash).
For security considerations, I believe it unwise to ever maintain
a cleartext userPassword. I believe RFC2256 should be updated to
read:
Passwords are stored using an Octet String syntax and SHOULD be
encrypted. ...
It would also be wise to standardize the syntax for encrypted
userPassword representation (ie: replace Octet String with an
appropriate syntax).
Kurt