> -----Original Message-----
> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.Org]
> Sent: Monday, November 08, 1999 8:46 PM
> To: ietf-ldapext@netscape.com
> Subject: C LDAP API: security considerations
>
>
> I believe it wise to add a security consideration stating that
> implementations should not reuse authentication information,
> without application interaction, when chasing referrals.
> That is, unless the application authorizes reuse with the
> authentication information (or provides new information via
> some mechanism) with the server chased, the implementation
> should use an anonymous bind.
I disagree. This will just encourage making information available to anonymous binds. Use of anonymous bind in thise scenario violates basic security principles -- the request should be made under the appropriate identity.
>
> Even if DIGEST-MD5 was in use, such application interaction
> should still be recommended to be consistent with "keeping
> long-lived copies of credentials without the application's
> knowledge is discouraged."
The application does have knowledge. It's the one providing the credentials for the referral.
Your underlying point is valid. Applications should be careful when keeping creds or cred-like info around. In fact, they really need to entrust such info to the OS, which can keep it encrypted in a non-pageable place. But, if proper precautions are taken, there is no reason that the referral should not be made using correct, authenticated, identity.
Paul