[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Compromise Authentication Proposal

To: Chris Newman <Chris.Newman@INNOSOFT.COM>
Subject: Re: Compromise Authentication Proposal
From: Phil Pinkerton <phil%jade@wg.icl.co.uk>
Date: Wed, 07 Oct 1998 17:20:15 +0100
Cc: IETF LDAP Extensions WG <ietf-ldapext@netscape.com>
Resent-date: Wed, 07 Oct 1998 09:35:52 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"JEt-A2.0.i62.aXv6s"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

I am quite comfortable with DIGEST-MD5 as the MTI SASL mechanism 'though the
'LDAP Authentication Methods' draft does need to be updated to clarify the
client-server interactions required.  DIGEST provides a relatively simple to
implement protected password mechanism at both client and server end, it
allows third-party authentication mechanisms to be used for those
implementations that need them (getting around the passwords stored at
discreet LDAP servers problem), it provides commonality between different
application types, and it doesn't have the performance overhead of
encrypting all the data.  I don't think TLS with cleartext passwords or
certs solve's any of these problems.  TLS with DIGEST is fine for those
implementations that need it but we don't need to mandate this.

So, Chris, are you going to make your proof-of-concept source code public?
I know that the DIGEST drafts contain example code but you've probably
ironed out all the bugs.

Regards, Phil

Follow-Ups:
- Re: Compromise Authentication Proposal
  - From: Chris Newman <Chris.Newman@INNOSOFT.COM>

Prev by Date: Re: Compromise Authentication Proposal
Next by Date: secure change-password protocol after Digest authentication?
Index(es):
- Chronological
- Thread