Re: draft minutes from Chicago meeting

[Tim Howes <howes@netscape.com>]

Yep. Let's not lose sight of our goal here. Our goal is
to decide on a mandatory-to-implement non-clear-text-
password authentication scheme for LDAP clients and
servers, to address the IESG's interoperability
concerns with LDAPv3. We will achieve this goal with
the minimum acceptable solution.

All this talk of other authentication methods and
security measures that we might want to make mandatory
is fine, but none of it is going to happen until we
get job one accomplished. So let's keep focused on
job one until it's done, and avoid confusing an already
confused discussion.                    -- Tim

Chris Newman wrote:
> 
> [don't forget to trim the recipients -- I'm sure minutes@ietf.org isn't
>  interested in this conversation]
> 
> On Mon, 28 Sep 1998, Jonathan Trostle wrote:
> > How about the following for mandatory to implement: Servers must implement TLS,
> > SASL GSS Kerberos V5, and CRAM-MD5/digest auth. Clients must implement one of
> > these three protocols.
> 
> This is getting ridiculous.  There's no justification for such a
> requirement given how little Kerberos deployment there is after 10? years.
> Kerberos has proven to be too difficult to deploy so far.  Microsoft might
> change that by adding some things to simplify Kerberos operationally, but
> it's certainly premature to promote it so heavily (I say this despite
> having written a Kerberos-enabled telnet client).
> 
> Personally, I don't think the stronger authentication technologies need to
> be promoted at all by the standard.  The people who _really_ need them
> usually have enough money and clout to make sure they happen.
> 
> What needs to be promoted is the baseline mechanism which guarantees
> interoperability, and perhaps a clear-text password under encryption
> mechanism which provides backward compatibility with arbitrary password
> databases.
> 
>                 - Chris