Re: Authentication Methods for LDAP - last call

["John C. Strassner" <johns@cisco.com>]

Good grief. The argument set forth by you and some others essentially says
don't worry about mass deployments, or the Internet, or real businesses
that have more than ONE server, use a (by your own admission) weak security
mechanism (CRM-MD5) because it is simpler to implement and better than
passing clear text. This is bordering on the absurd. You will never
convince me, Steve, Paul, and others that work on distributed systems of
this argument.

On the other hand, I do see your point that for certain well-controlled
implementations CRAM-MD5 might be good enough. Fine. Let's end the madness
and stop wasting bandwidth. How about this for a compromise:

Add text to the draft that divides the deployment of LDAP into two types:
one for businesses that use one (or perhaps a small number) of servers, and
one that implements a distributed system of many servers. For the former,
specify that mandatory to implement is CRAM-MD5, and for the latter,
specify that mandatory to implement is either a certificate-based system or
Kerberos.

Otherwise I think that we will just continue to trade "point-for-point
rebuttals" which don't lead anywhere. As an example, I will rebut your
rebuttal, and I'm sure that soon you will rebut my rebuttal, and then other
people will get into the act. This is stupid.

So how about it? I'm willing to compromise, and I think that this
compromise captures the best of both positions. How about you?

Tim, comments?

John

Of course passing clear text At 03:22 PM 8/5/98 -0700, Chris Newman wrote:
>Point for point rebuttal of John's Monday message follows:
>
>On Mon, 3 Aug 1998, John C. Strassner wrote:
>> >* Scalability comes in two forms -- many users on one server or many
>> >servers with distributed rules
>> [js] umm, excuse me, but there is a huge difference between the relatively
>> small number of users that a single server can support and the very large
>> number of users that a distributed system consisting of multiple servers
>> can support.
>
>A fast single server could easily support 200,000 user entires and that
>will suffice for a large number of sites.  The simplicity of managing one
>server rather than managing many servers makes this desirable for
>small/medium sized organizational units.

[js] But the obvious problem is that many sites of less people than 200,000
people have multiple servers - what do they do? Worse, most of these sites
have these multiple servers distributed in different geographic locations
and can NOT implement a single master system (are you seriously going to
suggest that a multinational organization can't update their directory
because their (slow) WAN link is down?).

>> >* CRAM-MD5 is several orders of magnitude faster than X.509.
>> [js] shooting yourself in the head will probably make you die faster than
>> shooting yourself multiple times in the foot - what's the point? if the
>> requirement is scalability and/or being able to support large numbers of
>> users for secure authentication, CRAM-MD5 won't cut it. period.
>
>The requirements for a baseline mechanism are documented in
>draft-newman-auth-mandatory-00.txt.  CRAM-MD5 is intended as a replacement
>for the unencrypted clear text passwords everyone is using with LDAP
>today.  We should not pretend it is a secure mechanism -- only that it is
>sufficiently better than unencrypted clear text passwords and simple
>enough that it has a chance of replacing them and making everyone safer.

[js] I would never recommend passing unencrypted clear text passwords.
In that respect, CRAM-MD5 is better. That's why I tried the compromise.

>> >* X.509 scales better for a distributed system than CRAM-MD5
>> >
>> >* CRAM-MD5 is a small burden on an implementor, X.509 is a huge burden
>> [js] but undertaking security for a distributed system is a huge burden in
>> and of itself. taking short cuts doesn't make this easier.
>
>Not all LDAP uses are distributed.  In fact most uses will be standalone.
>Obviously we need to continue to do research on distributed authentication
>technologies and nothing is stopping that.

[js] Right, but not all deployments can be single-server (or even a "few"
servers because of geographic location restrictions and other factors.
Again, that's why I proposed the compromise.

>> [js] sorry, i disagree. single-server deployments does not equal large
>> deployments.
>
>I agree.  But large deployments will use something other than CRAM-MD5 so
>where's the controversy?  CRAM-MD5 is baseline, not the best.

[js] Simply that having a mandatory to implement CRAM-MD5 for a distributed
system when we know that it can't work is a waste of time.

>> [js] I think that this needs further discussion. Kerberos, for one, seems
>> to be a better choice.
>
>Kerberos can't be used as mandatory-to-implement unless we also made it
>mandatory that *every* LDAP server includes a full Kerberos domain server.
>Otherwise real-world implementations can't assume Kerberos is present and
>will have to use something else by default.  So what else should they use?
>Unencrypted clear text or CRAM-MD5?
>
>		- Chris
>
[js] Whichever the needs of the deployment has. Just please don't force me
to implement CRAM-MD5 for a distributed system, and I won't force you to
implement Kerberos or X.509 certs for a single server system.