2829 questions

[Rob Byrne <rbyrne@france.Sun.COM>]

Hi Authentication Guys,

A few questions come to mind when thinking about Authentication as used
by the acl draft...

1. reading 2829bis I think DIGEST-MD5 is mandatory ONLY IF your server
supports password
based authentication...but the following makes it sound mandatory to
provide BOTH password authentication AND DIGEST-MD5:

"6.2. Digest authentication

   LDAP implementations MUST support authentication with a password
   using the DIGEST-MD5 SASL mechanism for password protection, as
   defined in section 6.1."

The thing is for acl it would be nice (though not critical) to be able
to default the required authentication level for a subject to a single
"fairly secure" mechanism--if there is no such mandatory authentication
scheme then you cannot do that.

2. Again on the subject of authentication level, is it possible to
define an ordering on authentication levels which defines their relative
"strengths" ? This would be useful in acl as you could say things like
"a given aci grants access to a given subject at this authentication
level AND ABOVE".  David Chadwick raised this before in the context of
denying access to a subject at a given authentication level, in which
case he wanted to express "deny access to this subject at this
authentication level AND TO ALL IDENTITIES AUTHENTICATED BELOW THAT
LEVEL". 

3. While I'm here...in 2829, I think it would be good to have some
comments or explicit reference to a place where the security properties
of the particular mandatory authentication schemes are outlined.  When I
say "security properties" I mean stuff like "This scheme is vulnerable
to such and such attacks, is only safe if the key size is > 50, this
hash is widely considered the best, etc...".  I think an LDAP
implementor is likely to be interested in that information, without
having to wade through the security RFCs.

Rob.