[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: LDAPDN and AuthMeth/DIGEST-MD5

To: "Paul Leach (Exchange)" <paulle@Exchange.Microsoft.com>
Subject: RE: LDAPDN and AuthMeth/DIGEST-MD5
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.Org>
Date: Sun, 21 Nov 1999 04:48:12 -0800
Cc: "'Kurt D. Zeilenga'" <kurt@boolean.net>, ietf-ldapext@netscape.com
In-reply-to: <19398D273324D3118A2B0008C7E9A569051BEAF4@SIT.platinum.corp.microsoft.com>
Resent-date: Sun, 21 Nov 1999 04:50:42 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"V826B.A.h-B.aq-N4"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

At 07:02 PM 11/19/99 -0800, Paul Leach (Exchange) wrote:
>
>
>> -----Original Message-----
>> From: Kurt D. Zeilenga [mailto:kurt@boolean.net]
>> Sent: Friday, November 19, 1999 6:17 PM
>> To: Mark Wahl
>
>> 
>> Lastly, the DIGEST-MD5 mechanism described by AuthMeth does
>> not work for DN-based authorization identities.  A canonical
>> utf8 representation of DNs is necessary.
>
>I don't think so. From the Digest-MD5 draft:

>Hence, all that is necessary is that the server use exactly the
>authzid-value that the client used to compute A1

Which means that the server cannot precomute and store A1,
it must store the clear text password.  If it stores the
clear text password and the storage is cracked, the real
clear text password is exposed.

>it does not need to be canonicalized.

In needs to be canonicalized to allow servers to avoid
non clear text storage.

References:
- RE: LDAPDN and AuthMeth/DIGEST-MD5
  - From: "Paul Leach (Exchange)" <paulle@Exchange.Microsoft.com>

Prev by Date: RE: LDAPDN and AuthMeth/DIGEST-MD5
Next by Date: RE: LDAPDN and AuthMeth/DIGEST-MD5
Index(es):
- Chronological
- Thread