[Date Prev][Date Next] [Chronological] [Thread] [Top]

Auth Compromise (was Re: Authentication Methods for LDAP - last call)

To: "John C. Strassner" <johns@cisco.com>
Subject: Auth Compromise (was Re: Authentication Methods for LDAP - last call)
From: Chris Newman <Chris.Newman@INNOSOFT.COM>
Date: Wed, 05 Aug 1998 17:07:33 -0700 (PDT)
Cc: Steve Kille <S.Kille@isode.com>, ietf-ldapext@netscape.com
In-reply-to: <3.0.2.32.19980805161028.00b905e0@ntg.cisco.com>
Resent-date: Wed, 05 Aug 1998 17:07:31 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"zi6e-3.0.M92.1FFor"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

On Wed, 5 Aug 1998, John C. Strassner wrote:
> Add text to the draft that divides the deployment of LDAP into two types:
> one for businesses that use one (or perhaps a small number) of servers, and
> one that implements a distributed system of many servers. For the former,
> specify that mandatory to implement is CRAM-MD5, and for the latter,
> specify that mandatory to implement is either a certificate-based system or
> Kerberos.

I can't agree with that becuase it fails the interoperability test, but
here's a counter-proposal:

  CRAM-MD5 is MANDATORY-TO-IMPLEMENT for all LDAP servers.  This does not 
  mean that CRAM-MD5 is appropriate to use in all cases.  However, when
  CRAM-MD5 is disabled, an LDAP connection will be restricted to anonymous
  access unless the client and server happen to have another 
  authentication mechanism in common.  Because CRAM-MD5 is intended to be
  the minimal acceptable authentication mechanism, LDAP servers SHOULD NOT
  permit the use of simple bind over an unencrypted connection.  LDAP
  clients and servers MUST have a configuration option to disable simple
  bind over an unencrypted connection if they permit its use at all.

  Servers and clients SHOULD implement an authentication mechanism which
  passes encrypted clear text passwords, such as the simple bind mechanism
  combined with TLS encryption.  This provides compatibility for existing
  authentication databases such as Unix /etc/passwd.

  Servers and clients intended to operate in a large distributed
  environment MUST implement an authentication mechanism capable of
  distributed management such as the EXTERNAL SASL mechanism with TLS
  client certificates, or the GSSAPI SASL mechanism with Kerberos V5.

I note that each of these three segments meets a different incompatible
requirement for authentication mechanisms.  The first addresses the
"simple, fast, but not clear text" requirement, the second addresses the
"backwards compatible" requirement and the third addresses the "good 
security & distributed management" requirement.

		- Chris

References:
- Re: Authentication Methods for LDAP - last call
  - From: "John C. Strassner" <johns@cisco.com>

Prev by Date: RE: Authentication Methods for LDAP - last call (mandatory CRAM-M D5)
Next by Date: Internet Draft submission cutoff date
Index(es):
- Chronological
- Thread