[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: LDAPDN and AuthMeth/DIGEST-MD5

To: "Paul Leach (Exchange)" <paulle@Exchange.Microsoft.com>
Subject: RE: LDAPDN and AuthMeth/DIGEST-MD5
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.Org>
Date: Sun, 21 Nov 1999 18:40:23 -0800
Cc: ietf-ldapext@netscape.com
In-reply-to: <19398D273324D3118A2B0008C7E9A569051BEAF7@SIT.platinum.corp.microsoft.com>
Resent-date: Sun, 21 Nov 1999 18:42:56 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"eRN0vD.A.x5D.o2KO4"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

My terminology was off and I confused A1 with the stored
hash.  I'll try to clarify my comments.

At 05:53 PM 11/21/99 -0800, you wrote: 
> No. It can store 
>        H( { username-value, ":", realm-value, ":", passwd }  
> which is what was intended to be precomputed, not A1. 

If the user provided identity (username-value) is an
LDAP DN, this cannot be precomputed unless both client
and server agree on a canonical string encoding for
DNs.  Without such an agreement, the password would
have to be stored in clear text.

From previous discussions, you noted that use of LDAPDN
format user identities was inappropriate for SASL based
authentication.  This may be true.  However, it does
leave AuthMeth without providing a secure mechanism for
authenticating users who provide LDAPDN identities.  Such
a mechanism is needed and, IMO, AuthMeth should not be
progressed without such a mechanism.

	Kurt

References:
- RE: LDAPDN and AuthMeth/DIGEST-MD5
  - From: "Paul Leach (Exchange)" <paulle@Exchange.Microsoft.com>

Prev by Date: =?unknown?q?=B4=F3=C1=BF=B9=A9=D3=A6=BB=C6=D3=F1=CA=AF?=
Next by Date: RE: FW: I-D ACTION:draft-armijo-ldap-treedelete-02.txt
Index(es):
- Chronological
- Thread