[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: comments to draft-ietf-ldapbis-authmeth-04.txt



Alexey Melnikov writes:
>Hallvard B Furuseth wrote:
> 
>>Section 3.9 "Storing passwords" says:
>>
>>   if this password file is compromised, then an attacker gains
>>   immediate access to documents on the server using this realm.
>>
>>I don't see what 'files' means in LDAP context.
>
> password storage.

Sorry, I meant 'documents on the server', not 'files'.  'files' was from
my private notes, with some misquoting...

That is, does this mean that one can authenticate as any in the password
file if the password file is compromised?

>>Does this mean that
>>if our system encrypts passwords and throws away the unencrypted ones,
>>
> I assumed below that you meant hashing, not encrypting here. Encryption 
> is reversible.

Yes.

> Have I answered your questions?

Not quite, I must chew on this a bit...

-- 
Hallvard