This week I was in Paris for the 63rd IETF meeting.
Though I mainly go to the IETF to work on LDAP (both with the LDAPBis working
group and as an individual contributor -for example with the LDAP
password policy- ), I often go to other working groups and BOF sessions
to get a sense of what’s going on in the Internet community (at least
in the areas that I understand).
And this time, the buz was clearly around the recent vulnerabilities
with the use of one-way hash functions such as MD5 and SHA1. With the
increasing computation power of computers and the ease of deployment of
man-in-the-middle attack, these functions are no longer considered as
secure enough. And so are authentication mechanisms based on cleartext
challenge-response exchanges. For Directory Server’s customers, this
means that the way to secure their authentication t0 LDAP is to use TLS
either via the use of StartTLS extended operation or LDAP over SSL.
Once the connection is secured, the authention could be based on the
Simple bind, Sasl Bind with Digest-MD5 mechanism or with exchanged
On the LDAP front, the participation is diminishing (mainly remains
Novell, OpenLDAP and Sun) but the work of revising the LDAPv3
specification for clarification and better interoperability is mainly
done. The last remaining issues were hammered this week (hopefully) and
we are expecting RFC publication before or around next IETF meeting.
LDAPers in IETF action: Roger, Kurt, Jim and Ludo (left to right).