[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Compromise Authentication Proposal

To: "John C. Strassner" <johns@cisco.com>
Subject: Re: Compromise Authentication Proposal
From: Chris Newman <Chris.Newman@INNOSOFT.COM>
Date: Mon, 05 Oct 1998 11:27:33 -0700 (PDT)
Cc: IETF LDAP Extensions WG <ietf-ldapext@netscape.com>
In-reply-to: <3.0.2.32.19981002172930.00922a70@ntg.cisco.com>
Resent-date: Mon, 05 Oct 1998 11:27:52 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"lADsP3.0.ih2.b-G6s"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

On Fri, 2 Oct 1998, John C. Strassner wrote:
> I fail to see how this is a compromise.
> 
> Furthermore, for those sites/vendors that don't choose to implement the
> mandatory-to-implement mechanism, what exactly are we accomplishing, other
> than ensuring that such sites are not in conformance?

Sites which choose not to _use_ the mandatory to implement mechanism have
always been just fine.  In doing so, they restrict their choice of clients
and servers to those which implement the mechanism they do choose.  No way
to get around this regardless of what we do since there is no such thing
as a one-size-fits-all authentication mechanism.

Vendors which choose not to _implement_ the mandatory to implement
mechanism are not compliant with the LDAP base spec, but may be compliant
with the "LDAP applicability statement for large-scale-distribution
sites". But given the mandatory to implement mechanism is so simple
(probably about 1/100th the code necessary to implement X.509), I doubt
many implementors will have a compelling need to avoid it.

Vendors which choose to implement both the mandatory-to-implement
mechanism and the profile for large-scale-distribution sites, will have an
additional selling point which some customers may look for explicitly.
I've seen customers give a list of RFCs for which they want support, thus
having the profile for large-scale-distribution of LDAP in a separate RFC
will help such customers.

> What exactly was wrong with my compromise?

You're proposing that all server vendors be required to implement TLS with
full-strength encryption and client certs.  The main problem I have with
this is that client certs haven't proven to be generally useful in the
field yet. Despite the fact most web browsers support client certs, few
people use them -- cleartext passwords seem to be much more useful in
practice even with the Internet-wide scope of web servers.  Given the
complexity of implementing client certs, I think that makes it premature
to make them mandatory-to-implement, even for servers.  There's also the
export restriction issue, although it could be argued that's a good thing
since it puts pressure on governments if the software companies in that
country can't export compliant LDAP servers. 

Personally I think TLS is best at a SHOULD level for LDAP.  There are a
lot of compelling reasons both to implement it and not to implement it,
but implementors really SHOULD if they can.

		- Chris

References:
- Re: Compromise Authentication Proposal
  - From: "John C. Strassner" <johns@cisco.com>

Prev by Date: Re: VLV indices and multi-value attributes
Next by Date: RE: draft minutes from Chicago meeting
Index(es):
- Chronological
- Thread