[Date Prev][Date Next] [Chronological] [Thread] [Top]

authmeth: missing protection



authmeth-09 says:

> 6.2. Digest Authentication
>
>    (...) [DIGEST-MD5].  This provides client
>    authentication with protection against passive eavesdropping
>    attacks, but does not provide protection against active intermediary
>    attacks.

What does this mean?  That DIGEST-MD5 is vulnerable to
man-in-the-middle attacks?  I didn't think it was.

BTW, maybe 'simple anonymous bind' should be 'simple anonymous or
unauthenticated bind'.

It goes on to say:

> 10.1. Start TLS Security Considerations

>    The use of TLS does not provide or
>    ensure for confidentiality and/or non-repudiation of the data housed
>    by an LDAP-based directory server.

I don't understand.  I thought confidentiality was exactly one of
the things TLS was for.

-- 
Hallvard