[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SHA-2 support (was: Permissions, users, startup when install from source)

On Wed, Jan 16, 2013 at 11:18 AM, Pierangelo Masarati
<masarati@aero.polimi.it> wrote:
>> --On Wednesday, January 16, 2013 7:39 AM +0100 Michael Ströder
>> <michael@stroeder.com> wrote:
>>> Quanah Gibson-Mount wrote:
>>>> --On Tuesday, January 15, 2013 2:35 PM -0800 Ori Bani
>>>> <oribani@gmail.com> wrote:
>>>>> Why hasn't the sha2 module been migrated out of the
>>>>> contrib directory
>>>> The "core" of OpenLDAP tries to be as RFC compliant as possible.  There
>>>> is no RFC that I'm aware of that adds SHA2 support.
>>> Sorry, this is an artificial argument which is simply not valid!
>>> Can you tell me which RFC specifies how to handle LANMAN hashes
>>> (--enable-lmpasswd)? There are plenty similar examples...
>> OpenLDAP, like many software projects that have existed for numerous
>> years,
>> has grown in its development practices.  Just because something was done
>> incorrectly in the past is not a reason to continue doing so.  Feel free
>> to
>> port lanman hashes to a contrib module.
> I'm not an expert in security, so this is just my 2c.  In general, as far
> as I recall, we tend to be pragmatic when appropriate.  So asking a fancy
> useless feature to become mainstream because other fancy useless features
> made it long ago is pointless.  But when it comes to security, I think it
> may be wise to break the rule every now and then.

I'd add that things like sha2 aren't "fancy" and frivolous at all, but
commonly recommended.  As I mentioned, the more adoption it gets, the
more the RFC authors will be encouraged to update, but even if not,
deferring to the (outdated, if it in fact mentions SHA1 and nothing
better) RFC on an issue like this may not be the best approach.