[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: RFC2256: userPassword

To: Paul Leach <paulle@microsoft.com>
Subject: Re: RFC2256: userPassword
From: dboreham@netscape.com (David Boreham)
Date: Thu, 01 Jul 1999 16:34:15 -0700
Cc: 'JR Heisey' <jr.heisey@mediagate.com>, ietf-ldapext@netscape.com
References: <CB6657D3A5E0D111A97700805FFE65870B48E423@RED-MSG-51>
Resent-date: Thu, 01 Jul 1999 16:26:56 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"ysbB1.A.sBC.2k_e3"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Paul Leach wrote:

> In _all_ the cases you presented, the third party software had your
> password, in the clear. In which case, if it isn't trustworthy, it has
> access to everything you hold dear. (Everything accessible with that
> password, anyway.)

In the cases where I've heard folk worry about this,
they weren't concerned about defending a determined
attack. They were worried that the 3rd party application
would run amok and randomly change their data.
Usually we manage to convince them that this 
isn't likely (because said applications do not
contain any code sequences capable of generating
LDAP update operations).

References:
- RE: RFC2256: userPassword
  - From: Paul Leach <paulle@microsoft.com>

Prev by Date: RE: RFC2256: userPassword
Next by Date: RE: RFC2256: userPassword
Index(es):
- Chronological
- Thread