I agree with Mark's suggestion below. >>> Mark Smith <mcs@netscape.com> 11/22/00 1:38:45 PM >>> Jim Sermersheim wrote: > > I'm not sure why the word "authentication" is in the following sentence from > section 4.2.2 of RFC 2251. Does it mean that you could supply a simple > password, but it's somehow associated with authentication secrets that > have been negotiated securely at a lower layer, thus rendering the > transmission of the cleartext password useless to others? > > "Note that the use of cleartext passwords is not recommended over open > networks when there is no authentication or encryption being performed > by a lower layer; see the "Security Considerations" section." My opinion is that the two words "authentication" and "or" should be removed. In fact, the statement from the Security Considerations section that this refers to uses the word "confidentiality" which is the best choice in my opinion. It says: Use of cleartext password is strongly discouraged where the underlying transport service cannot guarantee confidentiality and may result in disclosure of the password to unauthorized parties. So we could change the text in section 4.2.2 to read: Note that the use of cleartext passwords is not recommended over open networks when the underlying transport service cannot guarantee confidentiality; see the "Security Considerations" section." -- Mark Smith Directory Product Development / Netscape Got LDAP? Get it! |