[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Simple auth and TLS (Was: authmeth review notes [long])

Kurt D. Zeilenga wrote:

Michael, I believe the text, which mandates implementations be capable of protecting simple password authentication using TLS, is supported by WG consensus. Operational experience has shown, that in absence of such mandates, implementations will not offer adequate protective services.

In principle I support the WG consensus that clear-text passwords have to be protected. And in most cases I'm in favour of protecting the LDAP connection instead of relying on trusted networks etc.

SHOULD seems strong enough to me to require TLS and there are various other means by which you can protect clear-text passwords transmitted which are outside this specification (e.g. IPsec, Unix domain socket, etc.). That's local security policy and the security issues should be made very clear but IMHO "MUST [..] TLS" is too strong here.

Ciao, Michael.