[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Should response-auth be optional for digest authentication in authmeth?
- To: ietf-ldapbis@OpenLDAP.org
- Subject: Should response-auth be optional for digest authentication in authmeth?
- From: Mark Ennis <mark.ennis@adacel.com>
- Date: Tue, 15 Apr 2003 15:48:24 +1000
- In-reply-to: <200303071153.GAA21309@ietf.org>
- References: <200303071153.GAA21309@ietf.org>
- User-agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.3) Gecko/20030312
The current draft of authmeth (draft-ietf-ldapbis-authmeth-05.txt)
indicates, in section 8.2 paragraph 6, that the response-auth SASL
message is only included in the bind response for a successful bind when
the server supports subsequent authentication. This seems counter to the
intention of RFC2831 section 2.1.3 which indicates that the
response-auth should always be returned.
The response-auth provides one of the security aspects documented in
RFC2831, that of protection against "Spoofing by counterfeit servers"
(section 3.8). RFC2617, upon which RFC2831 is based, describes this
protection as "The optional response digest in the "response-auth"
directive supports mutual authentication -- the server proves that it
knows the user's secret, and with qop=auth-int also provides limited
integrity protection of the response.". Note that response-auth is
optional in RFC2617, but not (in my opinion) in RFC2831.
Was this diversion from the apparent intention of RFC2831 intentional
and if so, what is the reasoning behind weakening the authentication
procedure in this way?
Regards,
Mark Ennis