[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: userPassword question
On Wed, 29 Jul 1998, Mark Smith wrote:
> client. Bottom line: clients should always present passwords in clear
> text.
Mark, you have no idea how tempted I am to use that quote in a signature
line when posting to some IETF security related WGs. :-) But I'll be
good.
FYI, my technical opinion is:
All clients and servers MUST implement a fast authentication mechanism
which does not send the password in the clear and does not use encryption.
All clients and servers SHOULD implement an authentication mechanism which
sends a clear text password under strong encryption. All clients and
servers MUST be configurable to never send or accept an unencrypted clear
text password.
I expect the argument between these two philosophies will be very
interesting.
- Chris