[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: authmeth: missing protection




> >>> Hallvard B Furuseth <h.b.furuseth@usit.uio.no> 1/3/2004 7:34:57 AM >>>
> authmeth-09 says:
>
> > 6.2. Digest Authentication
> >
> > (...) [DIGEST-MD5]. This provides client
> > authentication with protection against passive eavesdropping
> > attacks, but does not provide protection against active intermediary
> > attacks.
>
> What does this mean? That DIGEST-MD5 is vulnerable to
> man-in-the-middle attacks? I didn't think it was.
 
I don't have enough experience with Digest Authentication to speak to this. Can someone else in the WG please comment?

>
> BTW, maybe 'simple anonymous bind' should be 'simple anonymous or
> unauthenticated bind'.
>
> It goes on to say:
>
> > 10.1. Start TLS Security Considerations
>
> > The use of TLS does not provide or
> > ensure for confidentiality and/or non-repudiation of the data housed
> > by an LDAP-based directory server.
>
> I don't understand. I thought confidentiality was exactly one of
> the things TLS was for.
 
I think the point is that TLS protects the data in transit between client and server, but it can't do anything to protect the data at the point it is housed. E.g. if the data is all just in text files on the LDAP server's file system with world-readable permissions, anyone with access to the server's file system can see the data.

>
> --
> Hallvard
Roger