[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: RFC2256: userPassword

To: Robert Allen <robert.allen@eng.Sun.COM>, mcs@netscape.com
Subject: RE: RFC2256: userPassword
From: Howard Chu <hyc@symas.com>
Date: Tue, 29 Jun 1999 14:07:48 -0700
Cc: Kurt@OpenLDAP.Org, paulle@microsoft.com, gomez@lhola.engr.sgi.com, ietf-ldapext@netscape.com
Importance: Normal
In-reply-to: <0FE3009NITTBQK@ha-sims.eng.sun.com>
Resent-date: Tue, 29 Jun 1999 14:05:34 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"u1hXyC.A.VtC.XUTe3"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

> Mark,
> 	Of course.  I agree completely and was not suggesting
> that passwords be in the clear inside of the the directory.
> However I go a step further and note that having easily
> decrypted (i.e. hashed) passwords in the directory is not
> significantly more secure against attacks, just (as you note)
> against accidental exposure.
> 
> 	Before security can be built into a system people
> have to agree what is being secured, and what it's being
> secured against.

Of course, even agreeing that strong encryption must be used doesn't
really solve the problem. How do you store the key that's used to encrypt
the userPassword? This is a part of X.500's encrypted attributes that I
never quite got the hang of...

Follow-Ups:
- RE: RFC2256: userPassword
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.Org>

References:
- Re: RFC2256: userPassword
  - From: Robert Allen <robert.allen@eng.Sun.COM>

Prev by Date: Re: RFC2256: userPassword
Next by Date: RE: RFC2256: userPassword
Index(es):
- Chronological
- Thread