[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: I-D ACTION:draft-zeilenga-ldap-authpasswd-03.txt

To: Rich Salz <rsalz@caveosystems.com>
Subject: Re: I-D ACTION:draft-zeilenga-ldap-authpasswd-03.txt
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Fri, 14 Jul 2000 09:05:45 -0700
Cc: ietf-ldapext@netscape.com
In-reply-to: <396F2FC1.DE77FFDB@caveosystems.com>
References: <200007131027.GAA11142@ietf.org>

At 11:20 AM 7/14/00 -0400, Rich Salz wrote:
>"It is recommended that the value of (SHA-1 hashes) be protected as if
>they were plaintext.  (Sec 5.2)"
>
>Why?

Because if a flaw is found in the SHA-1 algorithm, your
directory would be vulnerable to attack if you exposed
SHA-1 values.  The use of SHA-1 (or other algorithms)
offers an additional layer of protection such that if
one layer fails (access controls upon the values), other
layers will offer some protection against immediate
access to the directory.  Reliance upon a single layer
of security is unwise.

I will add some text to the next revision discussing
this security consideration.

Kurt

Follow-Ups:
- Re: I-D ACTION:draft-zeilenga-ldap-authpasswd-03.txt
  - From: Rich Salz <rsalz@caveosystems.com>

References:
- I-D ACTION:draft-zeilenga-ldap-authpasswd-03.txt
  - From: Internet-Drafts@ietf.org
- Re: I-D ACTION:draft-zeilenga-ldap-authpasswd-03.txt
  - From: Rich Salz <rsalz@caveosystems.com>

Prev by Date: Re: Unique identifiers for LDAP attributes
Next by Date: Re: LDAP subentry schema request for last call
Index(es):
- Chronological
- Thread