[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: RFC2256: userPassword
At 12:39 PM 6/29/99 -0700, Robert Allen wrote:
>>>At 10:58 AM 6/29/99 -0700, Robert Allen wrote:
>>>>The argument here is that having a bunch of world
>>>>readable passwords IS the same as having cleartext passwords
>>>>in todays world.
>>>
>>>The counter argument is that userPasswords are bound to fall
>>>into the wrong hands regardless of what access controls you
>>>deploy.
>
> I don't understand this viewpoint.
Access controls is only part of a providing security and
are not immune to failure. Minimizing the impact of access
control failures is also a valid part of overall security.
Detering attack and abuse is another part. Another part of
security is limiting knowledge to those who need to know.
> For example I
> don't assume that my passords (not stored in LDAP)
> which I use to access my bank accounts, etc., will
> inevitably fall into the wrong hands.
I assume that all my passwords, pins, etc. will
fall into the wrong hands.
> It seems to
> me that assuming they will in our business is a
> way of bypassing having to worry about decent security.
I did not intend to implied that encrypted userPassword
minimizes the need for other security measures.
Kurt