[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Compromise Authentication Proposal
On Mon, 12 Oct 1998, Jonathan Trostle wrote:
> Here are some issues with making Digest Auth MTI. It has been stated that
> making an algorithm MTI does not make it mandatory to use. But if one
> is not going to use it, why would they implement it on memory constrained
> network devices?
In general, the choice of implementation is made by the vendor and the
choice of use is made by the end user/site. Making something MTI means
the vendor has to provide that choice to the end user/site in order to be
compliant. Futhermore, since mass production is simpler if there's only
one version, it's usually most cost effective if the vendor either
implements a set of useful options or a plug-in API.
But if we're considering memory constrained devices, it's important that
the MTI (or set thereof) have a minimal code footprint -- thus excluding
X.509-based mechanisms and Kerberos.
Note that I'm a big fan of the Kerberos security model and I wrote what I
believe to be the only plug-and-play Kerberos telnet client for MacOS (if
you have the right Kerberos plug-in installed&configured and the telnet
server announces support for Kerberos, it's automatically used). But I
still don't think Kerberos makes sense as MTI.
- Chris