On Wed, Jan 16, 2013 at 11:18 AM, Pierangelo Masarati masarati@aero.polimi.it wrote:
--On Wednesday, January 16, 2013 7:39 AM +0100 Michael Ströder michael@stroeder.com wrote:
Quanah Gibson-Mount wrote:
--On Tuesday, January 15, 2013 2:35 PM -0800 Ori Bani oribani@gmail.com wrote:
Why hasn't the sha2 module been migrated out of the contrib directory
The "core" of OpenLDAP tries to be as RFC compliant as possible. There is no RFC that I'm aware of that adds SHA2 support.
Sorry, this is an artificial argument which is simply not valid!
Can you tell me which RFC specifies how to handle LANMAN hashes (--enable-lmpasswd)? There are plenty similar examples...
OpenLDAP, like many software projects that have existed for numerous years, has grown in its development practices. Just because something was done incorrectly in the past is not a reason to continue doing so. Feel free to port lanman hashes to a contrib module.
I'm not an expert in security, so this is just my 2c. In general, as far as I recall, we tend to be pragmatic when appropriate. So asking a fancy useless feature to become mainstream because other fancy useless features made it long ago is pointless. But when it comes to security, I think it may be wise to break the rule every now and then.
I'd add that things like sha2 aren't "fancy" and frivolous at all, but commonly recommended. As I mentioned, the more adoption it gets, the more the RFC authors will be encouraged to update, but even if not, deferring to the (outdated, if it in fact mentions SHA1 and nothing better) RFC on an issue like this may not be the best approach.