[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Authentication Methods for LDAP - last call
How about this:
In Section 6, Required Security Mechanisms, point 2:
Replace:
(2) Implementations providing password-based authenticated access
MUST support authentication using CRAM-MD5, as described in
section 8.1. This provides client authentication with
protection against passive eavesdropping attacks, but does
not provide protection against active intermediary attacks.
with:
(2) Implementations providing secure authenticated access MUST
NOT use the "simple" password authentication choice, since
this sends text in the clear. Therefore, such implementations
MUST support some secure form of authentication. Two such
examples are CRAM-MD5 and certificates. CRAM-MD5, while being
a good choice for password-based systems, has scaling issues.
Thus, in a large-scale distributed system, a better alternative
would be to use certificates in conjunction with TLS. Note that
CRAM-MD5, as described in section 8.1, provides client
authentication with protection against passive eavesdropping
attacks, but does not provide protection against active
intermediary attacks. The certificate exchange system is
described in section 9.
regards,
John
At 10:31 AM 8/1/98 -0700, Tim Howes wrote:
>The whole reason for this document is to make one mechanism
>mandatory, so that implementations have some guarantee of
>interoperability. Aside from being a good idea, this constraint
>has been clearly imposed by the IESG. So, you could argue
>that we've chosen the wrong mandatory mechanism, and that
>we should have chosen an X.509-based mechanism to be
>mandatory. That was considered and rejected as too high
>an implementation burden. Given this background, and these
>constraints, do you have any suggestions on how to improve
>this document? -- Tim
>
>Steve Kille wrote:
>
>> Mark,
>>
>> I agree with all of this. CRAM-MD5 is a good shared
>> secret mechanism, better than plain text password, and
>> suitable for some LDAP deployment.
>>
>> I think that X.509 (assymetric key) mechanisms, such as
>> the one you describe are going to be suitable for a lot of
>> other environments.
>>
>> My objection is to making CRAM-MD5 MANDATORY, when it is
>> so clearly unsuitable for a lot of types of LDAP deployment.
>>
>> Steve
>
>
>
>
>