Re: Security Considerationsindraft-weltman-ldapv3-auth-response-01.txt

[rweltman@netscape.com (Rob Weltman)]

"Kurt D. Zeilenga" wrote:

> At 11:11 AM 2/9/00 -0800, Rob Weltman wrote:
> >"Kurt D. Zeilenga" wrote:
> >> I suggest noting explicitly in Security Considerations that the
> >> control is not protected by the SASL privacy or integrity
> >> protection negotiated by the BIND process returning this control.
> >> A client requiring such protection must rely on independent
> >> services, such as TLS or IPSEC, or use some operation after
> >> negotiating SASL protection services.
> >  That could be added, but note that the information being returned in the control is not a password, but just the identity (DN) of the authenticated connection.
>
> I am specifically concerned that the DN returned may be modified
> in transit or by man in the middle and the client may assume
> incorrectly that the information is protected by services
> negotiated during the bind operation.
>
> I believe any specification of a control passed in a Bind
> Request or Response should have a explicit security consideration
> statement that control is not protected by services which the
> Bind may or may not negotiate.

I see. Thanks for pointing that out. The response is returned before any session protection takes effect, so it is more exposed than any other data-carrying LDAP response.

Rob