Re: [ldapext] draft-stroeder-hashed-userpassword-values-01

[Andrew Findlay <andrew.findlay@skills-1st.co.uk>]

On Wed, Mar 13, 2013 at 11:39:28PM +0100, Michael Ströder wrote:

> http://www.ietf.org/internet-drafts/draft-stroeder-hashed-userpassword-values-01.txt

In section 3 Implementation Issues, the 4th paragraph talks
about checking the syntax of the storage scheme. This
certainly has to be done, but I am a bit worried by the last
sentence:

	Any value which do not adhere to this syntax MAY be treated as
	clear-text password by the DSA when processing a LDAP simple
	bind request or LDAP compare request.

This is probably what most servers actually do, but it does
mean that any unrecognised schemes or badly-formatted values
effectively become clear-text passwords. Not a good failure
mode...

This is another case where the use of standard-setting words
like MAY and SHOULD sits uneasily with the informational
status of the document. From a security perspective I would
prefer something like this:

	Any value which does not have correct syntax SHOULD be
	treated as a value that can never match any password
	asserted by a user.

On the other hand, as a description of current practice it may
be better to say:

	The treatment of values with incorrect syntax is
	defined by the server implementation. Administrators
	should be aware that servers may treat such values as
	clear-text passwords, thus removing the benefit of
	hashing entirely. Values using storage schemes not
	known to the server may have the same effect.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------