Re: Authentication Methods for LDAP - last call

[Steve Kille <S.Kille@isode.com>]

Tim,

I think that we both agree that making an X.509 mechanism 
mandatory is the wrong approach (at least in 1998).

While there are benefits to having a single mandatory 
mechanism, given the current situation with LDAP, forcing
a mandatory implementation of a mechanism which is totally 
inadequate for many deployments is a nonsense.

We should focus on GOOD ENGINEERING.   I think that John 
Stassner's approach is sound.  When we decide what is right 
we should sell this to the IESG.   The success of the IETF 
is based on good engineering, and not on following 
procedures (such as so called "IESG Constraints").


Steve


On Sat, 01 Aug 1998 10:31:35 -0700 Tim Howes 
<howes@netscape.com> wrote:

> The whole reason for this document is to make one mechanism
> mandatory, so that implementations have some guarantee of
> interoperability. Aside from being a good idea, this constraint
> has been clearly imposed by the IESG. So, you could argue
> that we've chosen the wrong mandatory mechanism, and that
> we should have chosen an X.509-based mechanism to be
> mandatory. That was considered and rejected as too high
> an implementation burden. Given this background, and these
> constraints, do you have any suggestions on how to improve
> this document?                               -- Tim
> 
> Steve Kille wrote:
> 
> > Mark,
> >
> > I agree with all of this.   CRAM-MD5 is a good shared
> > secret mechanism, better than plain text password, and
> > suitable for some LDAP deployment.
> >
> > I think that X.509 (assymetric key) mechanisms, such as
> > the one you describe are going to be suitable for a lot of
> > other environments.
> >
> > My objection is to making CRAM-MD5 MANDATORY, when it is
> > so clearly unsuitable for a lot of types of LDAP deployment.
> >
> > Steve
> 
> 
>