[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: draft minutes from Chicago meeting

To: Chris Newman <Chris.Newman@INNOSOFT.COM>
Subject: RE: draft minutes from Chicago meeting
From: Erik Skovgaard <eskovgaard@geotrain.com>
Date: Tue, 06 Oct 1998 16:51:56 -0700
Cc: IETF LDAP Extensions WG <ietf-ldapext@netscape.com>
In-reply-to: <Pine.SOL.3.95.981005115032.16951J-100000@elwood.innosoft.c om>
References: <3.0.5.32.19981003202325.008b1100@pop1.mda.ca>
Resent-date: Tue, 06 Oct 1998 14:03:33 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"bVQW62.0.LA7.ZMe6s"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Chris,

I could equally argue that since PKI is being installed in all major
organizations, it would make sense to use it for the Directory as well.

However, I see your point and we need to ponder this.  But I am not sure I
will go as far as accept what other people rushed into doing unless it is
the right thing to do for the Directory.

I disagree with you that LDAP is crushing X.500 in the marketplace.  There
is a need for both at this point in time.  You still do not have
replication and chaining on stand-alone LDAP servers - except by
proprietary means.  As a result, stand-alone LDAP servers are used in
smaller installations and X.500 products (which have been around longer -
lest we forget) are used more in larger installations.

Cheers,                  ....Erik.

---------------------------------------
Erik Skovgaard
GeoTrain Copr.
Enterprise Directory Training and Consulting
http://www.geotrain.com

At 12:14 05/10/98 -0700, Chris Newman wrote:
>On Sat, 3 Oct 1998, Erik Skovgaard wrote:
>> But the issue is different for most of these servers.  In most cases
>> (except for the web server, of course) the client won't need to contact
>> several servers.
>
>I disagree.  With IMAP shared folders, there may be a need to connect to
>multiple IMAP servers.  In addition, there is a need to connect to the
>same IMAP server multiple times if a user opens multiple folders
>simultaneously.  When reading email, one is likely to connect to LDAP
>servers for directory lookups, IMAP servers to read mail, SMTP servers
>(with SMTP AUTH) to authenticate and send mail, and ACAP servers to get
>client configuration.  Perhaps even NNTP servers to read news if it's not
>been made available through IMAP.
>
>If each of these had a different mandatory-to-implement mechanism, the
>result would be a nightmare, especially if LDAP mandated client certs. 
>Don't forget that many (most?) of the LDAP clients people regularly use
>today are also email clients.  Internet email is one of the reasons that
>LDAP continues to crush X.500 in the marketplace.
>
>While CRAM-MD5 suffices in my book, Digest has the potential to be better
>since it brings HTTP into the set of protocols with can share the
>mandatory-to-implement mechanism.  It's a shame so few people in the apps
>area (and nobody in the security area) have paid attention to the need for
>multi-protocol authentication technology. 
>
>Something as fundamental as a mandatory-to-implement mechanism can't be
>determined with blinders that look at only one protocol at a time.
>
>		- Chris
>
>
>

References:
- RE: draft minutes from Chicago meeting
  - From: Erik Skovgaard <eskovgaard@geotrain.com>

Prev by Date: Re: Compromise Authentication Proposal
Next by Date: Re: Compromise Authentication Proposal
Index(es):
- Chronological
- Thread