--On Thursday, March 31, 2022 8:11 PM +0200 Geert Hendrickx
<[email protected]> wrote:
On Thu, Mar 31, 2022 at 04:29:04 -0000, [email protected]
wrote:
Quanah Gibson-Mount wrote:
> So from that standpoint, I'd personally prefer to see ldaps:///
> qualified in an RFC so the standardization argument goes away and
> ldaps be noted as the preferred method for sites that require
> encryption.
I agree there is no technical reason LDAPS would not be better. It
should be made standard.
There are technical reasons in fact, STARTTLS has (had) implementation
issues both on client- and server-side: https://nostarttls.secvuln.info/
Not necessarily in OpenLDAP, but it illustrates why in general, protocols
wrapped in TLS are now preferedd over STARTTLS. (See also RFC8314 for
e-mail protocols.)
I was saying there's no flaw in LDAPS that I'm aware of that makes it
inferior to startTLS on a technical level. I think the clear text bind
issue in fact shows that LDAPS is technically superior to startTLS when
encryption is required. The remaining issue is there's no RFC for it. I'd
like to see that addressed. It was brought up before but there's been no
progress on that front that I'm aware of.
--Quanah
