Re: [ldapext] draft-stroeder-hashed-userpassword-values-01
Andrew Findlay <andrew.findlay@skills-1st.co.uk> Fri, 15 March 2013 12:53 UTC
Return-Path: <andrew.findlay@skills-1st.co.uk>
X-Original-To: ldapext@ietfa.amsl.com
Delivered-To: ldapext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EF4221F8F56 for <ldapext@ietfa.amsl.com>; Fri, 15 Mar 2013 05:53:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.375
X-Spam-Level:
X-Spam-Status: No, score=-2.375 tagged_above=-999 required=5 tests=[AWL=-0.075, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vuu4uARRMR1G for <ldapext@ietfa.amsl.com>; Fri, 15 Mar 2013 05:53:29 -0700 (PDT)
Received: from kea.ourshack.com (kea.ourshack.com [IPv6:2001:470:1f15:20::201]) by ietfa.amsl.com (Postfix) with ESMTP id BB09E21F8F4F for <ldapext@ietf.org>; Fri, 15 Mar 2013 05:53:28 -0700 (PDT)
Received: from 2.b.0.9.d.6.e.f.f.f.a.6.1.2.2.0.1.e.7.f.0.d.8.0.0.b.8.0.1.0.0.2.ip6.arpa ([2001:8b0:8d0:f7e1:221:6aff:fe6d:90b2] helo=slab.skills-1st.co.uk) by kea.ourshack.com with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <andrew.findlay@skills-1st.co.uk>) id 1UGU8V-0002UV-Jl; Fri, 15 Mar 2013 12:53:27 +0000
Received: from andrew by slab.skills-1st.co.uk with local (Exim 4.80.1) (envelope-from <andrew.findlay@skills-1st.co.uk>) id 1UGU8U-00060f-R1; Fri, 15 Mar 2013 12:53:26 +0000
Date: Fri, 15 Mar 2013 12:53:26 +0000
From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
To: Michael Ströder <michael@stroeder.com>
Message-ID: <20130315125326.GA22595@slab.skills-1st.co.uk>
References: <5103F924.2070800@stroeder.com> <CABBgLkcnK7WfthFOBD5Esfz+g1izcKoGgtxzKKDntc0i=E7LOQ@mail.gmail.com> <510782A6.7050209@stroeder.com> <3ED81CD8-59DA-482E-8AFA-C68E53A62067@isode.com> <51410020.4020800@stroeder.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <51410020.4020800@stroeder.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
Cc: "ldap@umich.edu" <ldap@umich.edu>, ldapext <ldapext@ietf.org>
Subject: Re: [ldapext] draft-stroeder-hashed-userpassword-values-01
X-BeenThere: ldapext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: LDAP Extension Working Group <ldapext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ldapext>, <mailto:ldapext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ldapext>
List-Post: <mailto:ldapext@ietf.org>
List-Help: <mailto:ldapext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Mar 2013 12:53:29 -0000
On Wed, Mar 13, 2013 at 11:39:28PM +0100, Michael Ströder wrote: > http://www.ietf.org/internet-drafts/draft-stroeder-hashed-userpassword-values-01.txt In section 3 Implementation Issues, the 4th paragraph talks about checking the syntax of the storage scheme. This certainly has to be done, but I am a bit worried by the last sentence: Any value which do not adhere to this syntax MAY be treated as clear-text password by the DSA when processing a LDAP simple bind request or LDAP compare request. This is probably what most servers actually do, but it does mean that any unrecognised schemes or badly-formatted values effectively become clear-text passwords. Not a good failure mode... This is another case where the use of standard-setting words like MAY and SHOULD sits uneasily with the informational status of the document. From a security perspective I would prefer something like this: Any value which does not have correct syntax SHOULD be treated as a value that can never match any password asserted by a user. On the other hand, as a description of current practice it may be better to say: The treatment of values with incorrect syntax is defined by the server implementation. Administrators should be aware that servers may treat such values as clear-text passwords, thus removing the benefit of hashing entirely. Values using storage schemes not known to the server may have the same effect. Andrew -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------
- [ldapext] Any implementations using userPassword;… Michael Ströder
- Re: [ldapext] Any implementations using userPassw… Luke Howard
- Re: [ldapext] Any implementations using userPassw… Andrew Sciberras
- Re: [ldapext] Any implementations using userPassw… Michael Ströder
- Re: [ldapext] Any implementations using userPassw… Kurt Zeilenga
- [ldapext] draft-stroeder-hashed-userpassword-valu… Michael Ströder
- Re: [ldapext] draft-stroeder-hashed-userpassword-… Kurt Zeilenga
- Re: [ldapext] draft-stroeder-hashed-userpassword-… Michael Ströder
- [ldapext] draft-stroeder-hashed-userpassword-valu… Michael Ströder
- Re: [ldapext] draft-stroeder-hashed-userpassword-… Andrew Findlay
- Re: [ldapext] draft-stroeder-hashed-userpassword-… Michael Ströder
- Re: [ldapext] draft-stroeder-hashed-userpassword-… Ludovic Poitou
- Re: [ldapext] draft-stroeder-hashed-userpassword-… Michael Ströder
- Re: [ldapext] draft-stroeder-hashed-userpassword-… Howard Chu
- Re: [ldapext] draft-stroeder-hashed-userpassword-… Kurt Zeilenga
- Re: [ldapext] [ldap] Re: draft-stroeder-hashed-us… Michael Ströder
- Re: [ldapext] [ldap] Re: draft-stroeder-hashed-us… Howard Chu
- Re: [ldapext] [ldap] Re: draft-stroeder-hashed-us… Michael Ströder
- Re: [ldapext] [ldap] Re: draft-stroeder-hashed-us… Howard Chu
- Re: [ldapext] [ldap] Re: draft-stroeder-hashed-us… Michael Ströder
- Re: [ldapext] [ldap] Re: draft-stroeder-hashed-us… Andrew Findlay
- Re: [ldapext] [ldap] Re: draft-stroeder-hashed-us… Kurt Zeilenga
- Re: [ldapext] [ldap] Re: draft-stroeder-hashed-us… Andrew Findlay
- Re: [ldapext] draft-stroeder-hashed-userpassword-… Andrew Findlay
- Re: [ldapext] [ldap] Re: draft-stroeder-hashed-us… Howard Chu
- Re: [ldapext] [ldap] Re: draft-stroeder-hashed-us… Michael Ströder
- Re: [ldapext] draft-stroeder-hashed-userpassword-… Michael Ströder
- Re: [ldapext] draft-stroeder-hashed-userpassword-… Hallvard Breien Furuseth