Adam Tauno Williams wrote:
From my interest in applied cryptography, I was surprised to see how
limited are the (open)LDAP directory entry encryption options.
From a security audit perspective, plain text passwords in the LDAP DSA
implementation appears worrysome.
Why? If your DSA(s) is/are breached - your screwed anyway. The worry
seems almost entirely theoretical to me.
That's would be an insider fraud mitigation mechanism: prevent the
support personnel from easy access to finance department passwords. E.g.
Sarbanes-Oxley scrutiny.
A DSA host should be sufficiently hardened and backups should be
encrypted. Physical access to servers should be restricted and
monitored. There is lots of sensitive data in most DSAs beyond
passwords.
Granted, I didn't do a security audit of a DSA implementation.
Thanks for your observations.
Regards,
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, Qc
Canada H2M 2A1
Tel.: (514)385-5691
Fax: (514)385-5900
web site: http://www.connotech.com
e-mail: [EMAIL PROTECTED]
---
You are currently subscribed to ldap@umich.edu as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the
SUBJECT of the message.
