[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Simple auth and TLS (Was: authmeth review notes [long])

Kurt D. Zeilenga writes:
>At 10:25 AM 3/9/2004, Hallvard B Furuseth wrote:
>>Michael Ströder writes:
>>>Kurt D. Zeilenga wrote:
>>>>  LDAP implementations SHOULD support the simple DN/password mechanism
>>>>  of the simple Bind method (as detailed in Section X).
>>>>  Implementations
>>>>  which support this mechanism MUST be capable of protecting it by
>>>>  establishment (as discussed in Section 3) of TLS. 
>>Still wrong.  Together, these changes require implementations that do
>>not support TLS, to implement a security hole.
> Which security hole you refer to here?

Simple bind with an unprotected cleartext password.  But I should have
said, implementations will be required to _support_ a security hole.
They don't have to activate it.  Unfortunately, one can trust some users
to activate it, and some server admins to allow such binds.