Authentication Methods for LDAP - my vote for CRAM-MD5

[George Powers <george@packeteer.com>]

I am strongly in favor of a simple, open, mandatory, and uniform
authentication method for LDAP.  If CRAM-MD5 meets these criteria, then I'm
very anxious to see it implemented among LDAP products, which currently
cannot offer any level of security at all unless both client and server come
from the same vendor.

By "open" I mean an algorithm that is not constrained by license obligations
(to RSA for instance) and preferably is available in public-domain source
code.  We make embedded systems and must build our LDAP client from source.
We cannot rely on features that are available only in binary or object-form
client modules.

I've read the arguments that question the security of CRAM-MD5, but these
arguments only demonstrate that a sophisticated attacker can break CRAM-MD5
in certain circumstances.  A system using CRAM-MD5 is still much, much more
secure than one using clear-text passwords.  Is there another, equally
simple scheme that is open (no licensing required) and more secure?

If CRAM-MD5 rates a "MUST", then Kerberos probably rates a "SHOULD".  It's
open, but pretty complex.  I wouldn't want to see it required at the expense
of CRAM-MD5.

I am strongly against choosing certificates as the only mandatory secure
authentication method because they are far too complex for embedded systems
and not open as practiced among popular products that would be compatibility
targets.  I think that certificate-based authentication would be
appropriately specified as a "MAY".

Please understand that these are the thoughts of an LDAP customer rather
than an LDAP vendor.  I welcome any corrections on points of fact.

Regards,

George Powers