[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authentication Methods for LDAP - last call

To: "John C. Strassner" <johns@cisco.com>
Subject: Re: Authentication Methods for LDAP - last call
From: Steve Kille <S.Kille@isode.com>
Date: Sun, 02 Aug 1998 08:36:26 -0500 (Central Daylight Time)
Cc: Mark Wahl <M.Wahl@INNOSOFT.COM>, ietf-ldapext@netscape.com, Tim Howes <howes@netscape.com>
In-reply-to: <3.0.2.32.19980801113134.00b40890@ntg.cisco.com>
Resent-date: Sun, 02 Aug 1998 06:33:37 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"AInp23.0.fa5.kg6nr"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

I think that this is a good approach.   It should allow 
hooks to use other forms of "appropriately secure" 
authentication (e.g., the X.509/SASL spec I am working on, 
and probably some other SASL mechanisms too)

Steve

On Sat, 01 Aug 1998 11:31:34 -0700 "John C. Strassner" 
<johns@cisco.com> wrote:

> How about this:
> 
> In Section 6, Required Security Mechanisms, point 2:
> 
> Replace:
> 
>      (2)   Implementations providing password-based authenticated access
>            MUST support authentication using CRAM-MD5, as described in 
>            section 8.1.  This provides client authentication with 
>            protection against passive eavesdropping attacks, but does
>            not provide protection against active intermediary attacks.
> 
> with:
> 
>      (2)   Implementations providing secure authenticated access MUST
>            NOT use the "simple" password authentication choice, since
>            this sends text in the clear. Therefore, such implementations
>            MUST support some secure form of authentication. Two such
>            examples are CRAM-MD5 and certificates. CRAM-MD5, while being
>            a good choice for password-based systems, has scaling issues.
>            Thus, in a large-scale distributed system, a better alternative
>            would be to use certificates in conjunction with TLS. Note that
>            CRAM-MD5, as described in section 8.1, provides client
>            authentication with protection against passive eavesdropping
>            attacks, but does not provide protection against active
>            intermediary attacks. The certificate exchange system is
>            described in section 9.
> 
> regards,
> John
> 
> At 10:31 AM 8/1/98 -0700, Tim Howes wrote:
> >The whole reason for this document is to make one mechanism
> >mandatory, so that implementations have some guarantee of
> >interoperability. Aside from being a good idea, this constraint
> >has been clearly imposed by the IESG. So, you could argue
> >that we've chosen the wrong mandatory mechanism, and that
> >we should have chosen an X.509-based mechanism to be
> >mandatory. That was considered and rejected as too high
> >an implementation burden. Given this background, and these
> >constraints, do you have any suggestions on how to improve
> >this document?                               -- Tim
> >
> >Steve Kille wrote:
> >
> >> Mark,
> >>
> >> I agree with all of this.   CRAM-MD5 is a good shared
> >> secret mechanism, better than plain text password, and
> >> suitable for some LDAP deployment.
> >>
> >> I think that X.509 (assymetric key) mechanisms, such as
> >> the one you describe are going to be suitable for a lot of
> >> other environments.
> >>
> >> My objection is to making CRAM-MD5 MANDATORY, when it is
> >> so clearly unsuitable for a lot of types of LDAP deployment.
> >>
> >> Steve
> >
> >
> >
> >
> >
>

References:
- Re: Authentication Methods for LDAP - last call
  - From: "John C. Strassner" <johns@cisco.com>

Prev by Date: Re: Authentication Methods for LDAP - last call
Next by Date: Re: Authentication Methods for LDAP - last call
Index(es):
- Chronological
- Thread