[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: RE: Authentication Methods for LDAP - last call

To: 'John Haxby' <jch@pwd.hp.com>, Alan.Lloyd@OpenDirectory.com.au, Chris.Newman@INNOSOFT.COM, johns@cisco.com
Subject: RE: RE: Authentication Methods for LDAP - last call
From: Paul Leach <paulle@microsoft.com>
Date: Fri, 07 Aug 1998 17:27:00 -0700
Cc: ietf-ldapext@netscape.com, S.Kille@isode.com
Resent-date: Fri, 07 Aug 1998 17:27:12 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"J7kFj.0.Q-1.Ujvor"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com


> -----Original Message-----
> From: John Haxby [mailto:jch@pwd.hp.com]
> Sent: Thursday, August 06, 1998 8:51 AM
> To: Alan.Lloyd@OpenDirectory.com.au; Chris.Newman@INNOSOFT.COM;
> johns@cisco.com
> Cc: ietf-ldapext@netscape.com; S.Kille@isode.com
> Subject: RE: RE: Authentication Methods for LDAP - last call
> 
>> 
> (jch) There is a deployed instance of OpenMail supporting 
> 220,000 users 
> across 10-20 servers (I foget the exact number, sorry).  Each server 
> has a copy of the directory and the replication mechanism is 
> such that 
> it effectively forbids changes to directory entries not owned by the 
> local server.  In this instance CRAM-MD5 would scale remarkably well.

For me, the scalability is not the issue. It isn't an efficieny issue.
CRAM-MD5 is just too insecure. Kerberos is not an option for accessing
white-pages directories such as we see on the Internet (no common trust
point). Client certificates aren't widely deployed.

We should use a stronger password based authentication. HTTP will be using
Digest; sharing makes lots of sense.

Paul

Prev by Date: Flat Bushy Trees - or are they really?
Next by Date: I-D ACTION:draft-ietf-ldapext-psearch-01.txt
Index(es):
- Chronological
- Thread