[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: LDAPDN and AuthMeth/DIGEST-MD5



At 07:02 PM 11/19/99 -0800, Paul Leach (Exchange) wrote:
>
>
>> -----Original Message-----
>> From: Kurt D. Zeilenga [mailto:kurt@boolean.net]
>> Sent: Friday, November 19, 1999 6:17 PM
>> To: Mark Wahl
>
>> 
>> Lastly, the DIGEST-MD5 mechanism described by AuthMeth does
>> not work for DN-based authorization identities.  A canonical
>> utf8 representation of DNs is necessary.
>
>I don't think so. From the Digest-MD5 draft:

>Hence, all that is necessary is that the server use exactly the
>authzid-value that the client used to compute A1

Which means that the server cannot precomute and store A1,
it must store the clear text password.  If it stores the
clear text password and the storage is cracked, the real
clear text password is exposed.

>it does not need to be canonicalized.

In needs to be canonicalized to allow servers to avoid
non clear text storage.