Re: draft minutes from Chicago meeting

[Chris Newman <Chris.Newman@INNOSOFT.COM>]

[don't forget to trim the recipients -- I'm sure minutes@ietf.org isn't
 interested in this conversation]

On Mon, 28 Sep 1998, Jonathan Trostle wrote:
> How about the following for mandatory to implement: Servers must implement TLS, 
> SASL GSS Kerberos V5, and CRAM-MD5/digest auth. Clients must implement one of 
> these three protocols.

This is getting ridiculous.  There's no justification for such a
requirement given how little Kerberos deployment there is after 10? years. 
Kerberos has proven to be too difficult to deploy so far.  Microsoft might
change that by adding some things to simplify Kerberos operationally, but
it's certainly premature to promote it so heavily (I say this despite
having written a Kerberos-enabled telnet client). 

Personally, I don't think the stronger authentication technologies need to
be promoted at all by the standard.  The people who _really_ need them
usually have enough money and clout to make sure they happen.

What needs to be promoted is the baseline mechanism which guarantees
interoperability, and perhaps a clear-text password under encryption
mechanism which provides backward compatibility with arbitrary password
databases. 

		- Chris