Yes. Since we do not have control on the LDAP servers it seems that there is
still a problem here. I assume that web servers had the same problem.
I wonder if a solution was found there.
Avshalom
------------------------------------------------------------------------------
Avshalom Houri
Presence and Instant Messaging Architect
Lotus Sametime, IBM Software Group
IBM Haifa Research Labs - Rehovot Site
| "Arunachalam Venkatraman"
<[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED] 05/11/2002 17:41 |
|
James
Your observation is correct.
I think the original issue was not the security of the password but some
difficulty in getting the password from a LDAP server.
The use of H(a1) was suggested as an alternative.
Thanks
Venkat
-----Original Message-----
From: James Undery [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, November 05, 2002 9:33 AM
To: Arunachalam Venkatraman; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: [Sip-implementors] LDAP servers and SIP Authentication
Hi,
What I would make explicit is that sending H(A1) without encryption is not
much better than sending the password in the clear. i.e. you've still
provided someone snooping the traffic all they need to authenticate any
message they choose.
James
-----Original Message-----
From: Arunachalam Venkatraman [mailto:[EMAIL PROTECTED]]
Sent: 05 November 2002 15:22
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: [Sip-implementors] LDAP servers and SIP Authentication
Ranjit
I am not sure I understand your question.
If you want to send passwords securely on an unsecured network, you must use
some encryption mechanism.
For MD5 digest authentication, the algorithm does not require knowledge of
the password, if H(A1) is known.
Thanks
Venkat
_______________________________________________
Sip-implementors mailing list
[EMAIL PROTECTED]
http://lists.cs.columbia.edu/mailman/listinfo/sip-implementors
