RE: Compromise Authentication Proposal

[Paul Leach <paulle@microsoft.com>]

> -----Original Message-----
> From: Jonathan Trostle [mailto:jtrostle@cisco.com]
> Sent: Monday, October 12, 1998 5:34 PM
> 
> Issues with Digest as A General Purpose Mechanism
> 
> (1) We need delegation functionality. Digest does not appear 
> to have it, 
> but Kerberos has it (TLS is working on it). So Digest does 
> not meet our
> requirements.

Digest is compatible with delegation. It is true that there is no spec for
it, just as there is no spec for talking with a third party authentication
service. It is useful to get such a spec, but not mandatory in order to have
a standard client-server authentication protocol, or anywhere near as
important.

> 
> (2) There are some scaling issues with digest. Without a password 
> policy, users will choose weak passwords. Different realms will 
> implement different password policies leaving users with multiple 
> passwords. In enforcing the password policy, realms will need access 
> to the cleartext password, a malicious realm (the existence of which 
> becomes inevitable as you scale Digest up) can impersonate the
> user to other realms.

This is just as much an issue with Kerberos or TLS+passwords, and is not a
reason to prefer them over Digest.
> 
> (4) Not deployed and never will be. It has significant deployment
> in financial companies who are some of the most security conscious 
> customers. Is is the primary authentication mechanism in NT5.

But not the one we expect to use on the Internet.

I see no reason to have more than one MTI. The market will decide if TLS and
Kerberos get implemented as well -- I'm willing to bet that they will, but
not willing to mandate them. Note that we are doing all three, so it's not
an issue of trying to avoid work on our part.

Paul