[Date Prev][Date Next] [Chronological] [Thread] [Top]

LDAPDN and AuthMeth/DIGEST-MD5



The AuthMeth draft does not specify a canonical DN form
for use with the DIGEST-MD5 algorithm.   Without such, the
server must dynamically determine response-value based upon
user provided DN and cleartext password stored for with this
DN.

I believe the AuthMeth draft should specify a canonical
DN form for use with the DIGEST-MD5 and similar mechanisms.
In fact, it may be appropriate to require use of this form
within AuthzIDs (though I suggest we remove AuthzIDs
altogether, but that another thread).

The AuthMeth draft should also clarify as whether or not the
DIGEST-MD5 username (and/or authzid) string provided by
client is string encoding of a DN, a string encoding of an
AuthMeth authzId, or a string encoding of a AuthMeth uAuthzId
userid value.  

I should also note that AuthMeth draft defined keywords
are easily confused with DIGEST-MD5 keywords (authzid
vs authzId).  I suggest that AuthMeth rename its authzId
keyword.

In addition, The AuthMeth document does not describe if or
how applications may advance features of DIGEST-MD5, such
as integrity protection and confidentiality protection.
The draft should explicitly note that these features are not
covered under this specification.