Re: [ldapext] DBIS - new IETF drafts

Andrew Findlay <andrew.findlay@skills-1st.co.uk> Fri, 10 January 2014 17:44 UTC

Return-Path: <andrew.findlay@skills-1st.co.uk>
X-Original-To: ldapext@ietfa.amsl.com
Delivered-To: ldapext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C3E61AE108 for <ldapext@ietfa.amsl.com>; Fri, 10 Jan 2014 09:44:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n13iRhscV7Hs for <ldapext@ietfa.amsl.com>; Fri, 10 Jan 2014 09:44:22 -0800 (PST)
Received: from kea.ourshack.com (kea.ourshack.com [IPv6:2001:470:1f15:20::201]) by ietfa.amsl.com (Postfix) with ESMTP id BCD6B1AE074 for <ldapext@ietf.org>; Fri, 10 Jan 2014 09:44:22 -0800 (PST)
Received: from 9.d.e.2.e.6.a.d.5.9.e.0.f.9.4.9.1.e.7.f.0.d.8.0.0.b.8.0.1.0.0.2.ip6.arpa ([2001:8b0:8d0:f7e1:949f:e95:da6e:2ed9] helo=slab.skills-1st.co.uk) by kea.ourshack.com with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <andrew.findlay@skills-1st.co.uk>) id 1W1g7w-0008GP-44; Fri, 10 Jan 2014 17:44:12 +0000
Received: from andrew by slab.skills-1st.co.uk with local (Exim 4.80.1) (envelope-from <andrew.findlay@skills-1st.co.uk>) id 1W1g7v-0007Ew-Lm; Fri, 10 Jan 2014 17:44:11 +0000
Date: Fri, 10 Jan 2014 17:44:11 +0000
From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
To: Mark R Bannister <dbis@proseconsulting.co.uk>
Message-ID: <20140110174411.GB3938@slab.skills-1st.co.uk>
References: <52CAEA7D.5030002@highlandsun.com> <1389033674.27654.32.camel@pico.ipa.ssimo.org> <52CB2030.3010403@proseconsulting.co.uk> <1389050240.27654.67.camel@pico.ipa.ssimo.org> <52CDB6B2.2080406@proseconsulting.co.uk> <52CEBEAE.5090701@stroeder.com> <20140109174321.GV3938@slab.skills-1st.co.uk> <52CFFEAC.7070208@proseconsulting.co.uk> <C6DD84E6-0D5D-4F7A-90DF-46C382D4B06A@padl.com> <52D0057D.2030501@proseconsulting.co.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <52D0057D.2030501@proseconsulting.co.uk>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
Cc: Luke Howard <lukeh@padl.com>, Ldapext <ldapext@ietf.org>, Michael =?iso-8859-1?Q?Str=F6der?= <michael@stroeder.com>
Subject: Re: [ldapext] DBIS - new IETF drafts
X-BeenThere: ldapext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: LDAP Extension Working Group <ldapext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ldapext>, <mailto:ldapext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ldapext/>
List-Post: <mailto:ldapext@ietf.org>
List-Help: <mailto:ldapext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jan 2014 17:44:24 -0000

On Fri, Jan 10, 2014 at 02:36:45PM +0000, Mark R Bannister wrote:

>    While a DUA MAY implement any authentication password scheme
>    supported by the DSA, it MUST support the CRYPT scheme for backwards
>    compatibility, which is an implementation of the traditional UNIX
>    crypt algorithm.  However, it is RECOMMENDED that a more secure
>    scheme is used.

Is it really necessary for client code to get involved with this at all?

>    Passwd and group database entries contain encrypted passwords and
>    SHOULD be transmitted securely when transferred between DSA and DUA
>    to prevent eavesdropping.  A DUA SHOULD NOT allow a user to see any
>    encrypted passwords except they MAY see the password on their own
>    posixUserAccount entry in encrypted form.

Don't rely on the DUA (client code) to protect data from the user.
That's just saying "here is a bit of paper with a secret on the
other side; please don't turn it over". The person currently looking
at the screen may not be the person who logged in...

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------