[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authlevel in LDAP ACI



Kurt,

I see your point.  But, then "strong'' is in the eye of the beholder.
The point of digest-md5 was to limit some security holes in
authentication.

What do others think?

Ellen

At 07:36 AM 4/19/00 +0200, Kurt D. Zeilenga wrote:
At 08:45 PM 4/18/00 -0500, Ellen Stokes wrote:
>Here's a sketchy BNF for incorporating authentication strength
>and mechanism per today's discussion.
>
>< ldapACI > ::= < acl entry syntax >
>
>< acl entry syntax > ::= <familyOID> + '#' + <scope > + '#'
> + < rights > + '#' + < dnType >
> + < authLevel > + '#' + < subjectDn >
>
>< authLevel > ::= "none" | "simple" | <strong>
>
>< strong > ::= "strong" | < SASLauth >
>
>< SASLauth > ::= "SASL" + ':' + < SASLmech >
>
>< SASLmech > ::= "EXTERNAL" | "DIGEST-MD5" | "KERBEROS-ID" |< printableString


KERBEROS-ID is not a SASL mechanism, it's a form of authorization
(access) identity.

>
>Assumption here is that anything other than none or simple is strong and
>strong can
>be specified as strong (any other mechanism) or an explicit mechanism.

This use of "strong" is misleading.  Simple authentication when
solid privacy and integrity are in place (ala TLS, IPSEC) is
actually stronger than DIGEST-MD5 without such protections.