IETF meeting in Paris
By Ludo on Aug 05, 2005
Though I mainly go to the IETF to work on LDAP (both with the LDAPBis working group and as an individual contributor -for example with the LDAP password policy- ), I often go to other working groups and BOF sessions to get a sense of what's going on in the Internet community (at least in the areas that I understand).
And this time, the buz was clearly around the recent vulnerabilities with the use of one-way hash functions such as MD5 and SHA1. With the increasing computation power of computers and the ease of deployment of man-in-the-middle attack, these functions are no longer considered as secure enough. And so are authentication mechanisms based on cleartext challenge-response exchanges. For Directory Server's customers, this means that the way to secure their authentication t0 LDAP is to use TLS either via the use of StartTLS extended operation or LDAP over SSL. Once the connection is secured, the authention could be based on the Simple bind, Sasl Bind with Digest-MD5 mechanism or with exchanged certificates.
On the LDAP front, the participation is diminishing (mainly remains Novell, OpenLDAP and Sun) but the work of revising the LDAPv3 specification for clarification and better interoperability is mainly done. The last remaining issues were hammered this week (hopefully) and we are expecting RFC publication before or around next IETF meeting.
LDAPers in IETF action: Roger, Kurt, Jim and Ludo (left to right).
Tags: LDAP IETF Directory Server