RE: LDAPDN and AuthMeth/DIGEST-MD5

To: "'Kurt D. Zeilenga'" <Kurt@OpenLDAP.Org>, "Paul Leach (Exchange)" <paulle@Exchange.Microsoft.com>
Subject: RE: LDAPDN and AuthMeth/DIGEST-MD5
From: "Paul Leach (Exchange)" <paulle@Exchange.Microsoft.com>
Date: Sun, 21 Nov 1999 17:53:55 -0800
Cc: "'Kurt D. Zeilenga'" <kurt@boolean.net>, ietf-ldapext@netscape.com
Resent-date: Sun, 21 Nov 1999 17:54:22 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"c_JVvC.A.fPB.GJKO4"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Title: RE: LDAPDN and AuthMeth/DIGEST-MD5

> -----Original Message-----
> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.Org]
> Sent: Sunday, November 21, 1999 4:48 AM

> Which means that the server cannot precomute and store A1,
> it must store the clear text password.

Regardless of authzid, it can't precompute A1 because the computation contains per-connection nonces.

> If it stores the
> clear text password and the storage is cracked, the real
> clear text password is exposed.

No. It can store
H( { username-value, ":", realm-value, ":", passwd }
which is what was intended to be precomputed, not A1.

>
> >it does not need to be canonicalized.
>
> In needs to be canonicalized to allow servers to avoid
> non clear text storage.

As shown above, that's not correct.

Paul

Follow-Ups:
- RE: LDAPDN and AuthMeth/DIGEST-MD5
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.Org>