[Date Prev][Date Next] [Chronological] [Thread] [Top]

RFC2256: userPassword

To: ietf-ldapext@netscape.com
Subject: RFC2256: userPassword
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.Org>
Date: Tue, 29 Jun 1999 08:32:13 -0700
Resent-date: Tue, 29 Jun 1999 08:40:55 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"JeA8DC.A.SiB._jOe3"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

RFC2256 5.36 userPassword says "Passwords are stored using an
Octet String syntax and are not encrypted."  However, it's
common practice to store "encrypted" passwords in userPassword
using a mechanism derived from RFC2307 (ie: userPassword: {method}hash).

For security considerations, I believe it unwise to ever maintain
a cleartext userPassword.  I believe RFC2256 should be updated to
read:

  Passwords are stored using an Octet String syntax and SHOULD be
  encrypted.  ...

It would also be wise to standardize the syntax for encrypted
userPassword representation (ie: replace Octet String with an
appropriate syntax).

Kurt

Prev by Date: I-D ACTION:draft-ietf-ldapext-acl-reqts-02.txt
Next by Date: RE: RFC2256: userPassword
Index(es):
- Chronological
- Thread