[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
LDAPDN and AuthMeth/DIGEST-MD5
The AuthMeth draft does not specify a canonical DN form
for use with the DIGEST-MD5 algorithm. Without such, the
server must dynamically determine response-value based upon
user provided DN and cleartext password stored for with this
DN.
I believe the AuthMeth draft should specify a canonical
DN form for use with the DIGEST-MD5 and similar mechanisms.
In fact, it may be appropriate to require use of this form
within AuthzIDs (though I suggest we remove AuthzIDs
altogether, but that another thread).
The AuthMeth draft should also clarify as whether or not the
DIGEST-MD5 username (and/or authzid) string provided by
client is string encoding of a DN, a string encoding of an
AuthMeth authzId, or a string encoding of a AuthMeth uAuthzId
userid value.
I should also note that AuthMeth draft defined keywords
are easily confused with DIGEST-MD5 keywords (authzid
vs authzId). I suggest that AuthMeth rename its authzId
keyword.
In addition, The AuthMeth document does not describe if or
how applications may advance features of DIGEST-MD5, such
as integrity protection and confidentiality protection.
The draft should explicitly note that these features are not
covered under this specification.