Re: [ldapext] DBIS - new IETF drafts

Mark R Bannister <dbis@proseconsulting.co.uk> Fri, 10 January 2014 13:54 UTC

Return-Path: <dbis@proseconsulting.co.uk>
X-Original-To: ldapext@ietfa.amsl.com
Delivered-To: ldapext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A4581AE008 for <ldapext@ietfa.amsl.com>; Fri, 10 Jan 2014 05:54:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.6
X-Spam-Level:
X-Spam-Status: No, score=-1.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xMPa7d0GU1Cl for <ldapext@ietfa.amsl.com>; Fri, 10 Jan 2014 05:54:52 -0800 (PST)
Received: from mailex.mailcore.me (mailex.mailcore.me [94.136.40.62]) by ietfa.amsl.com (Postfix) with ESMTP id D7DBB1ADF4D for <ldapext@ietf.org>; Fri, 10 Jan 2014 05:54:51 -0800 (PST)
Received: from host109-155-253-4.range109-155.btcentralplus.com ([109.155.253.4] helo=[192.168.1.68]) by mail5.atlas.pipex.net with esmtpa (Exim 4.71) (envelope-from <dbis@proseconsulting.co.uk>) id 1W1cXp-0007r3-95; Fri, 10 Jan 2014 13:54:41 +0000
Message-ID: <52CFFB89.1040900@proseconsulting.co.uk>
Date: Fri, 10 Jan 2014 13:54:17 +0000
From: Mark R Bannister <dbis@proseconsulting.co.uk>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
References: <52C9BED5.2080900@proseconsulting.co.uk> <52CAEA7D.5030002@highlandsun.com> <1389033674.27654.32.camel@pico.ipa.ssimo.org> <52CB2030.3010403@proseconsulting.co.uk> <1389050240.27654.67.camel@pico.ipa.ssimo.org> <52CDB6B2.2080406@proseconsulting.co.uk> <52CEBEAE.5090701@stroeder.com>
In-Reply-To: <52CEBEAE.5090701@stroeder.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
X-Mailcore-Auth: 12040446
X-Mailcore-Domain: 1286164
Cc: ldapext@ietf.org
Subject: Re: [ldapext] DBIS - new IETF drafts
X-BeenThere: ldapext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: LDAP Extension Working Group <ldapext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ldapext>, <mailto:ldapext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ldapext/>
List-Post: <mailto:ldapext@ietf.org>
List-Help: <mailto:ldapext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jan 2014 13:54:53 -0000

On 09/01/2014 15:22, Michael Ströder wrote:
> Mark R Bannister wrote:
>>> Exposing hashes should be a last resort for compatibility reasons only
>>> and should be disabled by default with appropriate ACIs.
> The problem with exposing a central {CRYPT} hash is that a central and single
> password will be compromised even though newer systems might be capable of
> using stronger authc mechs. Especially if you want to support old systems you
> likely won't be able to use a stronger {CRYPT} hashing scheme.
>
> => I'd avoid that mess completely and I won't support any schema encouraging
> this. At least your drafts should contain big ALARM notes in the security
> considerations section.

As long as we have a solution to make migration to DBIS straightforward 
and without forcing everybody to change their passwords and without 
forcing legacy NIS clients to require upgrading, then I'm with you.

>
>> I don't suggest DBIS makes any mention of ACIs.  That's up to local rules &
>> procedures, not something that could possibly be standardised.
>>> My point of view is that using LDAP binds SHOULD be mandated for
>>> authentication for any new client following any new schema, and exposing
>>> hashes MUST be disabled by default, and explicitly enabled by admins
>>> that needs backwards compatibility. We need to move up the security bar,
>>> and you do that only with appropriate defaults, and new IETF work should
>>> reflect that IMHO.
>>>
>>> Simo.
> +1 to Simo's comment.

Can all LDAP servers on the market today use a CRYPT-style password to 
serve a bind request?  If so, it's easy to mandate this.  If not, it 
won't be mandatory.

>
>> I don't think LDAP binds can be mandated, we can only strongly recommend it.
>> Given the migration path I have already described, I find it highly unlikely
>> that people will be able to move to LDAP binds and move off CRYPT immediately,
> If your customers have old legacy systems which they won't change at all then
> simply let them run them in a isolated environment with all the old cruft
> around they need for those systems. Sooner or later they have to migrate
> anyway because systems are running out-of-service (e.g. will not receive
> security updates anymore).
>
> IMO any new standard should focus on getting the near future right.

This is where we differ a lot.  You would throw away the past to build 
the future (ironically something that Howard seems to be accusing me 
of).  I, on the other hand, am all about building bridges between the 
past and the future so that we don't cut anybody out.  Everyone should 
be able to make use of DBIS, right now, without pain.  Flick a switch, 
you're on DBIS, then slowly make improvements once you're on a better 
framework.  That's the philosophy, and I'll happily battle hard and feel 
lots of pain now convincing everybody that you can't ignore the past, if 
it means users of DBIS in the future don't have to feel any pain.

Best regards,
Mark.