Re: authmeth: passwords in the clear

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 08:53 AM 2/28/2004, Hallvard B Furuseth wrote:
>authmeth-10 says:
>
>> 11. General Requirements for Password-based Authentication
>> (...)
>>   To mitigate the security risks associated with the use of passwords, 
>>   a server implementation MUST implement a configuration that at the 
>>   time of authentication or password modification, requires: 
>>
>>      1) A Start TLS encryption layer has been successfully negotiated. 
>>
>>       OR 
>>
>>      2) Some other confidentiality mechanism that protects the password 
>>         value from snooping has been provided. 
>>
>>       OR 
>
>This should only apply to cleartext passwords, not e.g. modifications of
>attributes that contain encrypted passwords.

I concur that this particular section should be limited to
cleartext passwords used in authentication.  

>Finally, as I said in the thread about this, we cannot mandate this for
>other operations than bind, because a gateway server may not know which
>attributes contain passwords (other than userPassword).  You could use
>"MUST" protect cleartext bind passwords, and "SHOULD" protect other
>cleartext passwords.

I think other "uses" of cleartext passwords (such as modification)
should be address in documents detail specific mechanisms (e.g.,
LDAP Password Modify Operation) and/or password schema.  (And,
aside from some very general guidance, issues associated with
gateways, caching proxies, chaining servers, and/or replicas
should be addressed in documents discussing such these things.)

Kurt