[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: draft minutes from Chicago meeting

To: Phil Pinkerton <phil%jade@wg.icl.co.uk>, ietf-ldapext@netscape.com
Subject: Re: draft minutes from Chicago meeting
From: Erik Skovgaard <eskovgaard@geotrain.com>
Date: Fri, 02 Oct 1998 18:22:57 -0700
In-reply-to: <01bdee09$84563340$193113ac@aaa30.wg.icl.co.uk>
Resent-date: Fri, 02 Oct 1998 15:36:53 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"pvgOI.0.436.2ML5s"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Phil,

Sorry, I got distracted and did not answer the rest of your message.

I agree that we have a problem here.  So I am still trying to force a
position on the type of environment we intend to address.  If we, as Tim
suggested, are going to address both the large, distributed, multi-vendor
environment and the single server environment (or the single-vendor
environment which is almost the same), then we can't really ignore one in
favour of the other, can we?

One approach would be to have two classes of servers and clients.  One for
small domains where CRAM-MD5 will work and one for large domains (read:
multi-vendor) where we will have to use a PKI approach.

Since we can't make both camps happy if we only provide one solution, the
above would seem to me to be the way out of the stalemate.

Cheers,                ....Erik.

----------------------------------
Erik Skovgaard
GeoTrain Corp.
Enterprise Directories - Consulting and Training
http://www.geotrain.com

At 14:35 02/10/98 +0100, Phil Pinkerton wrote:
>
>>Phil,
>>
>>Think about it, how will you implement a multi-server domain?
>>
>>With CRAM-MD5 you have to configure the password for users on each server.
>>That may be fine for a few servers and a few non-anonymous users, but it
>>does not scale when you implement hundreds of servers and have millions of
>>users that require strong authentication.
>>
>>Hence, if you *only* mandate CRAM-MD5, you will only cater to the small
>>installations.  That was the reason for my question.
>>
>
>
>This is really a failure of the distributed model in use rather than the
>protocol or the authentication mechanism.  But let's not go down that road.
>
>What I fail to understand is how TLS with a clear text password over the top
>(as has been suggested) solves this problem.  You've still got to
>authenticate the client at the LDAP level and give them an
>authorization-identity (?) so that you can apply access control, etc.  If
>you are proposing TLS client authentication using certificates to validate a
>client then I can see how this would work and get around your distribution
>issues, but this is heavy to mandate when 90% (my guess) of the LDAP
>directory deployments out there are probably single-server.
>
>Regards, Phil
>
>
>

References:
- Re: draft minutes from Chicago meeting
  - From: Phil Pinkerton <phil%jade@wg.icl.co.uk>

Prev by Date: Re: draft minutes from Chicago meeting
Next by Date: Compromise Authentication Proposal
Index(es):
- Chronological
- Thread