[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Security Considerations indraft-weltman-ldapv3-auth-response-01.txt
At 11:11 AM 2/9/00 -0800, Rob Weltman wrote:
>"Kurt D. Zeilenga" wrote:
>> I suggest noting explicitly in Security Considerations that the
>> control is not protected by the SASL privacy or integrity
>> protection negotiated by the BIND process returning this control.
>> A client requiring such protection must rely on independent
>> services, such as TLS or IPSEC, or use some operation after
>> negotiating SASL protection services.
> That could be added, but note that the information being returned in the control is not a password, but just the identity (DN) of the authenticated connection.
I am specifically concerned that the DN returned may be modified
in transit or by man in the middle and the client may assume
incorrectly that the information is protected by services
negotiated during the bind operation.
I believe any specification of a control passed in a Bind
Request or Response should have a explicit security consideration
statement that control is not protected by services which the
Bind may or may not negotiate.