[Date Prev][Date Next] [Chronological] [Thread] [Top]

Authentication Levels for ACMs

To: ietf-ldapext@netscape.com
Subject: Authentication Levels for ACMs
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Thu, 05 Apr 2001 15:17:10 -0700

Here is how I suggest authentication levels be described:

LDAP supports numerous authentication methods and which offer
a wide range of security protections.  Some methods support
multiple mechanisms.

The strength of each mechanism can depend on many variables.
While it is possible to develop an access control factor which
is a parameterization of the methods, mechanisms, and other
variables; practical use of such a factor would be limited.

The average directory administrator (or user) has no clue as
to what strength (or level) of authentication of a
parameterazation like: 'SASL/EXTERNAL/TLS/GSSAPI' or
'SIMPLE/TLS/X.509' implied.  The average directory administrator
(and user) can understand simple terms like "weak" and "strong".

It is possible to define a small set of terms in a general
manner allowing for uses of particular mechanisms to be
categorized.

The following authentication levels (in increasing order
of strength) "unauthenticated", "weak", "limited", and "strong"
based using terminology defined in [RFC 2828].

The "unauthenticated" level implies an anonymous authentication
association.

The "weak" level implies that the authentication mechanism
is prone to both passive and active attacks.

The "limited" level implies that the authentication is
protects against passive attacks but may be prone to
active attacks.

The "strong" level implies the authentication mechanism
protects against both passive and active attacks.

A RECOMMENDED categorization is offered separately.  For
each mechanism categorized in the recommendation,
implementations SHOULD NOT assign a higher authentication
level but MAY assign a lower authentication level.  For
mechanisms not covered by the recommendation, the implementation
SHOULD a conservative level.  Implementations SHOULD provide
a means for the directory administrator for disabling mechanisms
and/or lowering the authentication level associated with a
mechanism.

----

I would be willing to provide the RECOMMENDED categorization
if the consensus of this WG is to pursue this.

Kurt

Follow-Ups:
- Re: Authentication Levels for ACMs
  - From: robert byrne <robert.byrne@Sun.COM>

Prev by Date: ITET up 30% since featured at smallcaptimes.com
Next by Date: Be Healthier: Clean Your Indoor Air!
Index(es):
- Chronological
- Thread