[Date Prev][Date Next] [Chronological] [Thread] [Top]

authmeth: missing protection

To: ietf-ldapbis@OpenLDAP.org
Subject: authmeth: missing protection
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Sat, 3 Jan 2004 15:34:57 +0100

authmeth-09 says:

> 6.2. Digest Authentication
>
>    (...) [DIGEST-MD5].  This provides client
>    authentication with protection against passive eavesdropping
>    attacks, but does not provide protection against active intermediary
>    attacks.

What does this mean?  That DIGEST-MD5 is vulnerable to
man-in-the-middle attacks?  I didn't think it was.

BTW, maybe 'simple anonymous bind' should be 'simple anonymous or
unauthenticated bind'.

It goes on to say:

> 10.1. Start TLS Security Considerations

>    The use of TLS does not provide or
>    ensure for confidentiality and/or non-repudiation of the data housed
>    by an LDAP-based directory server.

I don't understand.  I thought confidentiality was exactly one of
the things TLS was for.

-- 
Hallvard

Prev by Date: authmeth: user-specified SASL mechanisms
Next by Date: protocol: unrecognized protocolOp tag
Index(es):
- Chronological
- Thread