[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL/EXTERNAL - why/how?

To: Turbo Fredriksson <turbo@bayour.com>
Subject: Re: SASL/EXTERNAL - why/how?
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Mon, 5 Jul 2004 09:08:23 +0200
Cc: openldap-software@OpenLDAP.org
In-reply-to: <87fz87t1t7.fsf@papadoc.bayour.com>
References: <87fz87t1t7.fsf@papadoc.bayour.com>

Turbo Fredriksson writes:
> Why would anyone use this?
> (...)
> This is what I managed to find about the mechanism:
> 
> 1. Client and server negotiate cipher suite with encryption algorithm 
> 2. Server requests client certificate 
> 3. Client sends certificate and performs a private key based
>    encryption to prove its possession 
> 4. Server checks validity of certificate and its CA
> 
> But that looks a little bleak. Is there nothing more?

You missed two possible steps:

 -1. When you receive the certificate and private key, the private key
     (used in step 3) is stored in an encrypted format, so nobody can
     break in to your account to see your private key.

  0. Client asks user for key (or "pass phrase") and uses this to
     decrypt the private key.

This is supposed to be more secure than plain password login over TLS,
but I don't know how one "measures" that.  On the one hand, it does
require you to both know the pass phrase and have access to the key
file, but on the other hand, the server can't put any requirement on the
length of the pass phrase, or know that the key file is stored in a
secure place, or even require that a pass phrase is used.

-- 
Hallvard

References:
- SASL/EXTERNAL - why/how?
  - From: Turbo Fredriksson <turbo@bayour.com>

Prev by Date: Re: SASL/EXTERNAL - why/how?
Next by Date: Re: ldapi security level?
Index(es):
- Chronological
- Thread