--On Thursday, March 31, 2022 8:11 PM +0200 Geert Hendrickx geert@hendrickx.be wrote:
On Thu, Mar 31, 2022 at 04:29:04 -0000, thomaswilliampritchard@gmail.com wrote:
Quanah Gibson-Mount wrote:
So from that standpoint, I'd personally prefer to see ldaps:/// qualified in an RFC so the standardization argument goes away and ldaps be noted as the preferred method for sites that require encryption.
I agree there is no technical reason LDAPS would not be better. It should be made standard.
There are technical reasons in fact, STARTTLS has (had) implementation issues both on client- and server-side: https://nostarttls.secvuln.info/ Not necessarily in OpenLDAP, but it illustrates why in general, protocols wrapped in TLS are now preferedd over STARTTLS. (See also RFC8314 for e-mail protocols.)
I was saying there's no flaw in LDAPS that I'm aware of that makes it inferior to startTLS on a technical level. I think the clear text bind issue in fact shows that LDAPS is technically superior to startTLS when encryption is required. The remaining issue is there's no RFC for it. I'd like to see that addressed. It was brought up before but there's been no progress on that front that I'm aware of.
--Quanah