[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: draft minutes from Chicago meeting

To: ietf-ldapext@netscape.com
Subject: Re: draft minutes from Chicago meeting
From: Phil Pinkerton <phil%jade@wg.icl.co.uk>
Date: Tue, 29 Sep 1998 15:46:29 +0100
Resent-date: Wed, 30 Sep 1998 00:46:40 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"woCXw3.0.uS6.L7U4s"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Surely making TLS mandatory to implement as a SASL authentication mechanism
implies that if this is all the server supports then all human clients
wishing to be strongly authenticated must have a certificate (and private
key) which, although maybe a future expectation, certainly isn't the case
today.

I suspect that most human clients today would be happy with an encrypted
password technique like CRAM-MD5 to provide strong authentication.  This
could be combined with an encrypted, but not client authenticated, TLS
session if full data confidentiality and integrity is required.  Therefore,
I would suggest that CRAM-MD5 (or its equivalent) is a more realistic SASL
mechanism to mandate in real-world terms.

Phil Pinkerton, ICL

Prev by Date: Re: draft minutes from Chicago meeting
Next by Date: Access Controls - a suggested change to X.500
Index(es):
- Chronological
- Thread