[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Compromise Authentication Proposal

To: 'Erik Skovgaard' <eskovgaard@geotrain.com>, Chris Newman <Chris.Newman@INNOSOFT.COM>
Subject: RE: Compromise Authentication Proposal
From: Paul Leach <paulle@microsoft.com>
Date: Thu, 08 Oct 1998 11:01:40 -0700
Cc: IETF LDAP Extensions WG <ietf-ldapext@netscape.com>
Resent-date: Thu, 08 Oct 1998 11:01:58 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"zePQj.0.wb2.IuF7s"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

I object to profiles.

The following should be MTI:
support for anonymous, and lightweight strong authentication.

Which, if it is Digest, is scalable to large installations. People just keep
asserting that it isn't.

Plaintext passwpords should be mandatory to NOT IMPLEMENT, in my opinion.
But I know that will never fly, so let's just make them optional.


> -----Original Message-----
> From: Erik Skovgaard [mailto:eskovgaard@geotrain.com]
> Sent: Thursday, October 08, 1998 12:26 PM
> To: Chris Newman
> Cc: IETF LDAP Extensions WG
> Subject: Re: Compromise Authentication Proposal
> 
> 
> Chris,
> 
> You are right, I did not make it clear.
> 
> Well, here is the problem.  If we set the bar too low, LDAP 
> becomes useless
> to large installations.  If we set it too high, as you point out, we
> eliminate the low end products.
> 
> I can see both points of view and all I ask is that we 
> clearly identify the
> environment.  I think there is at least some agreement among 
> the members of
> the list that we *should* try and address both environments.
> 
> As far as I can see, the issue is mainly for clients.  How if we allow
> three profiles for clients:
> 
> 1. Clients with only anonymous and clear text password capabilities.
> 2. Clients that support 1. and lightweight strong authentication.
> 3. Clients that support 1. and scalable strong authentication.
> 
> If we for the last category can also include confidentiality 
> services (i.e.
> encryption on the session), I think we have covered all 
> bases. The "slow"
> processing of SSL + certs is a non-issue, IMHO.  Many desktop 
> installations
> today use PKI (for instance Entrust) and the processing is 
> very intensive
> without disruting users.  Keep in mind that we are developing 
> standards for
> the future, not yesterday's equipment.  Of course, we *do* 
> need to allow
> for simple clients as per my suggestion above.
> 
> One of the main drivers for my option 3 above is 
> administrative clients.
> Most of the products today use proprietary mechanisms and it 
> makes it very
> difficult to administer a multi-vendor environment.  This is 
> only going to
> get worse as different parts of an organization install 
> different products. 
> 
> Servers would have to support all three options, but if that 
> is a problem
> for some people, we could also profile servers as follows:
> 
> 1. Servers which support anonymous, clear text passwords and 
> lightweight
> strong authentication.
> 2. Servers which support 1. and scalable strong authentication.
> 
> How's that for a compromise?
> 
> Cheers,                 ....Erik.
> 
>

Prev by Date: Re: Compromise Authentication Proposal
Next by Date: Re: Compromise Authentication Proposal
Index(es):
- Chronological
- Thread