Re: Authentication Methods for LDAP - last call

[howes@netscape.com (Tim Howes)]

The whole reason for this document is to make one mechanism
mandatory, so that implementations have some guarantee of
interoperability. Aside from being a good idea, this constraint
has been clearly imposed by the IESG. So, you could argue
that we've chosen the wrong mandatory mechanism, and that
we should have chosen an X.509-based mechanism to be
mandatory. That was considered and rejected as too high
an implementation burden. Given this background, and these
constraints, do you have any suggestions on how to improve
this document?                               -- Tim

Steve Kille wrote:

> Mark,
>
> I agree with all of this.   CRAM-MD5 is a good shared
> secret mechanism, better than plain text password, and
> suitable for some LDAP deployment.
>
> I think that X.509 (assymetric key) mechanisms, such as
> the one you describe are going to be suitable for a lot of
> other environments.
>
> My objection is to making CRAM-MD5 MANDATORY, when it is
> so clearly unsuitable for a lot of types of LDAP deployment.
>
> Steve