[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Authentication Methods for LDAP - last call



The statement

"This provides client authentication with protection against passive
eavesdropping attacks, but does not provide protection against active
intermediary attacks."

is incorrect. It provides somewhat more protection than base64 encoding the
password, but leaves it susceptible to chosen plaintext attacks and hence
precomputed dictionary attacks and batch brute force attacks -- all of which
are passive eavesdropping attacks.

I posted a proposed substitute section 8.1, using Digest instead of
CRAM-MD5. It would permit shared authentication logic and authentication
databases between HTTP and LDAP -- a BIG win, IMHO.

Paul