[bind10-dev] Security Mechanism for Cmdctl and Bindctl
fdupont at isc.org
Mon Jun 14 19:36:32 UTC 2010
> > => "password in plaintext" is not suitable for a security mechanism.
> Francis: I believe this means it is using HTTP/1.0 Authentication
> instead of RFC 2069 Digest Access Authentication. Either way, it is sent
> via SSL. Any thoughts on if plain text auth over SSL is not suitable?
=> yes because in encapsulated authentication protocols you need a way
to bind them together to avoid MITM attacks, and this is pretty hard to
do with a password. So I still say "password in plaintext" is bad for
Francis Dupont <fdupont at isc.org>
PS: the draft explaining the issue for PEAP and TTLS is not well known.
(it is draft-puthenkulam-eap-binding-01.txt)
Google gives another ref: http://eprint.iacr.org/2002/163.pdf
More information about the bind10-dev