[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: RFC2256: userPassword

To: Robert Allen <robert.allen@eng.Sun.COM>
Subject: RE: RFC2256: userPassword
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.Org>
Date: Tue, 29 Jun 1999 14:09:41 -0700
Cc: robert.allen@eng.Sun.COM, paulle@microsoft.com, gomez@lhola.engr.sgi.com, ietf-ldapext@netscape.com
In-reply-to: <0FE300932T7WQK@ha-sims.eng.sun.com>
Resent-date: Tue, 29 Jun 1999 14:19:11 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"-0p5M.A.YKE.8gTe3"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

At 12:39 PM 6/29/99 -0700, Robert Allen wrote:
>>>At 10:58 AM 6/29/99 -0700, Robert Allen wrote:
>>>>The argument here is that having a bunch of world
>>>>readable passwords IS the same as having cleartext passwords
>>>>in todays world.
>>>
>>>The counter argument is that userPasswords are bound to fall
>>>into the wrong hands regardless of what access controls you
>>>deploy.
>
>	I don't understand this viewpoint.

Access controls is only part of a providing security and
are not immune to failure.   Minimizing the impact of access
control failures is also a valid part of overall security.
Detering attack and abuse is another part.  Another part of
security is limiting knowledge to those who need to know.

>	For example I
>	don't assume that my passords (not stored in LDAP)
>	which I use to access my bank accounts, etc., will
>	inevitably fall into the wrong hands.

I assume that all my passwords, pins, etc. will
fall into the wrong hands.

>	It seems to
>	me that assuming they will in our business is a
>	way of bypassing having to worry about decent security.

I did not intend to implied that encrypted userPassword
minimizes the need for other security measures.

Kurt

References:
- RE: RFC2256: userPassword
  - From: Robert Allen <robert.allen@eng.Sun.COM>

Prev by Date: RE: RFC2256: userPassword
Next by Date: RE: RFC2256: userPassword
Index(es):
- Chronological
- Thread