[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
authmeth: missing protection
authmeth-09 says:
> 6.2. Digest Authentication
>
> (...) [DIGEST-MD5]. This provides client
> authentication with protection against passive eavesdropping
> attacks, but does not provide protection against active intermediary
> attacks.
What does this mean? That DIGEST-MD5 is vulnerable to
man-in-the-middle attacks? I didn't think it was.
BTW, maybe 'simple anonymous bind' should be 'simple anonymous or
unauthenticated bind'.
It goes on to say:
> 10.1. Start TLS Security Considerations
> The use of TLS does not provide or
> ensure for confidentiality and/or non-repudiation of the data housed
> by an LDAP-based directory server.
I don't understand. I thought confidentiality was exactly one of
the things TLS was for.
--
Hallvard