[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: RFC2256: userPassword

To: robert.allen@eng.Sun.COM, Kurt@OpenLDAP.Org
Subject: RE: RFC2256: userPassword
From: Robert Allen <robert.allen@eng.Sun.COM>
Date: Tue, 29 Jun 1999 12:39:58 -0700 (PDT)
Cc: paulle@microsoft.com, gomez@lhola.engr.sgi.com, ietf-ldapext@netscape.com
Content-md5: P4OzISVO+iQkKTIbVNVv1Q==
Resent-date: Tue, 29 Jun 1999 12:40:10 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"WkgE5C.A.7SD.TESe3"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

>>At 10:58 AM 6/29/99 -0700, Robert Allen wrote:
>>>The argument here is that having a bunch of world
>>>readable passwords IS the same as having cleartext passwords
>>>in todays world.
>>
>>The counter argument is that userPasswords are bound to fall
>>into the wrong hands regardless of what access controls you
>>deploy.

	I don't understand this viewpoint.  For example I
	don't assume that my passords (not stored in LDAP)
	which I use to access my bank accounts, etc., will
	inevitably fall into the wrong hands.  It seems to
	me that assuming they will in our business is a
	way of bypassing having to worry about decent security.
	

	IMHO,
	
	Robert
	rja@Eng.Sun.COM

Follow-Ups:
- Re: RFC2256: userPassword
  - From: mcs@netscape.com (Mark C Smith)
- RE: RFC2256: userPassword
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.Org>

Prev by Date: Re: RFC2256: userPassword
Next by Date: Re: RFC2256: userPassword
Index(es):
- Chronological
- Thread