[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SHA-2 support (was: Permissions, users, startup when install from source)

To: Pierangelo Masarati <masarati@aero.polimi.it>
Subject: Re: SHA-2 support (was: Permissions, users, startup when install from source)
From: Ori Bani <oribani@gmail.com>
Date: Wed, 16 Jan 2013 13:05:04 -0800
Cc: "Michael StrÃ¶der" <michael@stroeder.com>, openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type:content-transfer-encoding; bh=uxqu8dvZaMWnFwU+QnV2zNqWZ/hgxs38OS7VNQX1Vlw=; b=EhhxEF0GvaN8sxPa5v5zQNR/qwj6lE+5BnvAqZmSNenDXZFRHujtuqy1qKLwvKRbwu +rfc2SBtVIl4Mqr5r0Y/iFOmOXIDDieo7KmbdbDxxj7c18ndOZKMVx5UhNGGf7k4P6P7 v47engaprqYPvnFfEaewgUU069GGDdVFlVjJblYWEOcmaxjJTABgYTj1SC2tjm8ulMm0 JjBXWoyUknZHR1hqARAlD/nXHVz+gTjvxX3U5+xyRsywncrndukb1yr7idfdP3C1v3b3 39WHg2pym6QkojLXGMavHrCzUvwxi/j2euQbK4kpbT+ts8UEQvV08fc09ECLoXvJxBet 5IXw==
In-reply-to: <172a60ab116be4af30fdcee258a20421.squirrel@www.aero.polimi.it>
References: <CALBCx2dpba+PKTb4z-EvXRJmT39FChMz+D+8hT1q2nxz7Pg5Og@mail.gmail.com> <BAB54DB833638F822A9755E0@192.168.1.64> <CALBCx2ddnNg7eCoSAkORQU2cRw-DofyXG-gbjhcfSnvVvqzxdA@mail.gmail.com> <0A719B2185DFF3E5C44C5B8B@192.168.1.54> <50F64B17.2050904@stroeder.com> <650C2F4D9005B5D8DC5C82CA@192.168.1.54> <172a60ab116be4af30fdcee258a20421.squirrel@www.aero.polimi.it>

On Wed, Jan 16, 2013 at 11:18 AM, Pierangelo Masarati
<masarati@aero.polimi.it> wrote:
>
>> --On Wednesday, January 16, 2013 7:39 AM +0100 Michael StrÃ¶der
>> <michael@stroeder.com> wrote:
>>
>>> Quanah Gibson-Mount wrote:
>>>> --On Tuesday, January 15, 2013 2:35 PM -0800 Ori Bani
>>>> <oribani@gmail.com> wrote:
>>>>> Why hasn't the sha2 module been migrated out of the
>>>>> contrib directory
>>>>
>>>> The "core" of OpenLDAP tries to be as RFC compliant as possible.  There
>>>> is no RFC that I'm aware of that adds SHA2 support.
>>>
>>> Sorry, this is an artificial argument which is simply not valid!
>>>
>>> Can you tell me which RFC specifies how to handle LANMAN hashes
>>> (--enable-lmpasswd)? There are plenty similar examples...
>>
>> OpenLDAP, like many software projects that have existed for numerous
>> years,
>> has grown in its development practices.  Just because something was done
>> incorrectly in the past is not a reason to continue doing so.  Feel free
>> to
>> port lanman hashes to a contrib module.
>
> I'm not an expert in security, so this is just my 2c.  In general, as far
> as I recall, we tend to be pragmatic when appropriate.  So asking a fancy
> useless feature to become mainstream because other fancy useless features
> made it long ago is pointless.  But when it comes to security, I think it
> may be wise to break the rule every now and then.

I'd add that things like sha2 aren't "fancy" and frivolous at all, but
commonly recommended.  As I mentioned, the more adoption it gets, the
more the RFC authors will be encouraged to update, but even if not,
deferring to the (outdated, if it in fact mentions SHA1 and nothing
better) RFC on an issue like this may not be the best approach.

Follow-Ups:
- Re: SHA-2 support (was: Permissions, users, startup when install from source)
  - From: Kurt Zeilenga <Kurt@OpenLDAP.org>

References:
- Permissions, users, startup when install from source
  - From: Ori Bani <oribani@gmail.com>
- Re: Permissions, users, startup when install from source
  - From: Ori Bani <oribani@gmail.com>
- SHA-2 support (was: Permissions, users, startup when install from source)
  - From: Michael Ströder <michael@stroeder.com>
- Re: SHA-2 support (was: Permissions, users, startup when install from source)
  - From: "Pierangelo Masarati" <masarati@aero.polimi.it>

Prev by Date: Re: Access questions
Next by Date: Re: Replication not working
Index(es):
- Chronological
- Thread