Re: [ldapext] draft-stroeder-hashed-userpassword-values-01
Howard Chu <hyc@highlandsun.com> Thu, 14 March 2013 16:06 UTC
Return-Path: <hyc@highlandsun.com>
X-Original-To: ldapext@ietfa.amsl.com
Delivered-To: ldapext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88BF011E8267 for <ldapext@ietfa.amsl.com>; Thu, 14 Mar 2013 09:06:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ulW6eoRXX3ep for <ldapext@ietfa.amsl.com>; Thu, 14 Mar 2013 09:06:03 -0700 (PDT)
Received: from mail.highlandsun.com (mail.highlandsun.com [70.87.222.79]) by ietfa.amsl.com (Postfix) with ESMTP id 3FE9311E8141 for <ldapext@ietf.org>; Thu, 14 Mar 2013 09:05:54 -0700 (PDT)
Received: from [127.0.0.1] (localhost [127.0.0.1]) by mail.highlandsun.com (Postfix) with ESMTP id 1F07B84ED5; Thu, 14 Mar 2013 12:05:52 -0400 (EDT)
Message-ID: <5141F560.6040805@highlandsun.com>
Date: Thu, 14 Mar 2013 09:05:52 -0700
From: Howard Chu <hyc@highlandsun.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:22.0) Gecko/20100101 Firefox/22.0 SeaMonkey/2.19a1
MIME-Version: 1.0
To: Andrew Findlay <andrew.findlay@skills-1st.co.uk>, ldapext <ldapext@ietf.org>
References: <5103F924.2070800@stroeder.com> <CABBgLkcnK7WfthFOBD5Esfz+g1izcKoGgtxzKKDntc0i=E7LOQ@mail.gmail.com> <510782A6.7050209@stroeder.com> <3ED81CD8-59DA-482E-8AFA-C68E53A62067@isode.com> <51410020.4020800@stroeder.com> <20130314001901.GN18706@slab.skills-1st.co.uk>
In-Reply-To: <20130314001901.GN18706@slab.skills-1st.co.uk>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
Cc: "ldap@umich.edu" <ldap@umich.edu>, Kurt Zeilenga <kurt.zeilenga@isode.com>
Subject: Re: [ldapext] draft-stroeder-hashed-userpassword-values-01
X-BeenThere: ldapext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: LDAP Extension Working Group <ldapext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ldapext>, <mailto:ldapext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ldapext>
List-Post: <mailto:ldapext@ietf.org>
List-Help: <mailto:ldapext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2013 16:06:07 -0000
Andrew Findlay wrote: > On Wed, Mar 13, 2013 at 11:39:28PM +0100, Michael Ströder wrote: > >>> I see this document is marked as being intended to be published as >>> Informational, but it reads more like it's trying to be a standard. >> >> I tried to add some wording to avoid that misunderstanding in the next >> revision of this draft: >> >> http://www.ietf.org/internet-drafts/draft-stroeder-hashed-userpassword-values-01.txt > > Still -01 ? > > You are explicitly excluding details of '{crypt}'. I think this is a > mistake, especially in an informational document. {crypt} is > extremely useful in transition scenarios, so people need to know about > it. Who benefits from this document? What interoperability problems does it solve? Hashed userPassword values are strictly a server-internal implementation detail, clients never need to know about them. The syntax specification is defective in at least 2 ways: 1) it only allows a form "hashandsalt" which actually precludes any unsalted hash mechanisms. 2) it only allows "b64-hashandsalt" which precludes any mechanisms that don't use base64 format for their values. E.g. Unix crypt and Windows LANMAN hash formats use their own binary-to-printable encoding, not base64. > What platform-specific variants do you know of? > The really important one is the old Unix-crypt 13-char salted hash. > > Could you perhaps say something like: > > {crypt} introduces a password-hash string that is generated and > checked by the crypt(3) library. This could be the traditional > 13-character 'Unix crypt' or some other variant such as the stronger > '$1$' and $6$' schemes used by recent versions of Linux. > > Andrew > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
- [ldapext] Any implementations using userPassword;… Michael Ströder
- Re: [ldapext] Any implementations using userPassw… Luke Howard
- Re: [ldapext] Any implementations using userPassw… Andrew Sciberras
- Re: [ldapext] Any implementations using userPassw… Michael Ströder
- Re: [ldapext] Any implementations using userPassw… Kurt Zeilenga
- [ldapext] draft-stroeder-hashed-userpassword-valu… Michael Ströder
- Re: [ldapext] draft-stroeder-hashed-userpassword-… Kurt Zeilenga
- Re: [ldapext] draft-stroeder-hashed-userpassword-… Michael Ströder
- [ldapext] draft-stroeder-hashed-userpassword-valu… Michael Ströder
- Re: [ldapext] draft-stroeder-hashed-userpassword-… Andrew Findlay
- Re: [ldapext] draft-stroeder-hashed-userpassword-… Michael Ströder
- Re: [ldapext] draft-stroeder-hashed-userpassword-… Ludovic Poitou
- Re: [ldapext] draft-stroeder-hashed-userpassword-… Michael Ströder
- Re: [ldapext] draft-stroeder-hashed-userpassword-… Howard Chu
- Re: [ldapext] draft-stroeder-hashed-userpassword-… Kurt Zeilenga
- Re: [ldapext] [ldap] Re: draft-stroeder-hashed-us… Michael Ströder
- Re: [ldapext] [ldap] Re: draft-stroeder-hashed-us… Howard Chu
- Re: [ldapext] [ldap] Re: draft-stroeder-hashed-us… Michael Ströder
- Re: [ldapext] [ldap] Re: draft-stroeder-hashed-us… Howard Chu
- Re: [ldapext] [ldap] Re: draft-stroeder-hashed-us… Michael Ströder
- Re: [ldapext] [ldap] Re: draft-stroeder-hashed-us… Andrew Findlay
- Re: [ldapext] [ldap] Re: draft-stroeder-hashed-us… Kurt Zeilenga
- Re: [ldapext] [ldap] Re: draft-stroeder-hashed-us… Andrew Findlay
- Re: [ldapext] draft-stroeder-hashed-userpassword-… Andrew Findlay
- Re: [ldapext] [ldap] Re: draft-stroeder-hashed-us… Howard Chu
- Re: [ldapext] [ldap] Re: draft-stroeder-hashed-us… Michael Ströder
- Re: [ldapext] draft-stroeder-hashed-userpassword-… Michael Ströder
- Re: [ldapext] draft-stroeder-hashed-userpassword-… Hallvard Breien Furuseth