[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: IETF ldapbis WG Last Call: draft-ietf-ldapbis-user-schema-05.txt



Kurt D. Zeilenga wrote:
At 12:40 PM 5/26/2003, Michael Ströder wrote:

Kurt D. Zeilenga wrote:

KurtZ raised a security consideration regarding session hijacking.
Add consideration.

??? "Add: Use of integrity protection is encouraged to prevent session hijacking."

Which session is meant here?

The LDAP session.

If one uses a mechanism such as DIGEST-MD5 without
negotiating integrity protection to authenticate,
a man-in-middle can hijack the session after
authentication completes.

Does that really belong into draft-ietf-ldapbis-user-schema? How does that relate to the schema definitions?

I can understand that one emphasizes security for e.g. userPassword (could be added to section 'Security Considerations', generalized and extended). But IMHO LDAP session security is out of scope in this document.

Ciao, Michael.