[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: draft minutes from Chicago meeting

To: "John C. Strassner" <johns@cisco.com>
Subject: Re: draft minutes from Chicago meeting
From: Chris Newman <Chris.Newman@INNOSOFT.COM>
Date: Mon, 28 Sep 1998 18:03:46 -0700 (PDT)
Cc: IETF LDAP Extensions WG <ietf-ldapext@netscape.com>
In-reply-to: <3.0.2.32.19980928144748.00b54890@ntg.cisco.com>
Resent-date: Mon, 28 Sep 1998 19:21:26 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"o15mt2.0.8d1.XG44s"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

On Mon, 28 Sep 1998, John C. Strassner wrote:
> I still think that a good approach to ensure mandatory-to-implement
> compatibility is to divide the problem in two. Force servers to implement
> TLS plus one of either the compromise or CRAM-MD5, and force clients to
> implement either TLS or the non-TLS option chosen for the server. This way,
> applications that mandate strong authentication can rely on TLS, and
> applications that don't can rely on the lighter weight option.

My understanding is the current model is that implementations MUST
implement DIGEST-MD5/CRAM-MD5 (whichever the WG chooses) and SHOULD
implement TLS.

I'm opposed to making TLS a MUST for clients, but I don't see a big
problem with making it a MUST for servers (although TLS is a *lot* more
code than should be necessary for the level of security it provides). 
Note that the mandatory-to-implement cipher suite in TLS is DHE_DSS +
triple-DES, so an export-crippled server would be non-compliant with the
spec.  This may or may not be a big deal.

		- Chris

References:
- Re: draft minutes from Chicago meeting
  - From: "John C. Strassner" <johns@cisco.com>

Prev by Date: Re: draft minutes from Chicago meeting
Next by Date: Re: draft minutes from Chicago meeting
Index(es):
- Chronological
- Thread