RE: Compromise Authentication Proposal

[Chris Newman <Chris.Newman@INNOSOFT.COM>]

On Mon, 12 Oct 1998, Jonathan Trostle wrote:
> Here are some issues with making Digest Auth MTI. It has been stated that
> making an algorithm MTI does not make it mandatory to use. But if one
> is not going to use it, why would they implement it on memory constrained 
> network devices?

In general, the choice of implementation is made by the vendor and the
choice of use is made by the end user/site.  Making something MTI means
the vendor has to provide that choice to the end user/site in order to be
compliant.  Futhermore, since mass production is simpler if there's only
one version, it's usually most cost effective if the vendor either
implements a set of useful options or a plug-in API.

But if we're considering memory constrained devices, it's important that
the MTI (or set thereof) have a minimal code footprint -- thus excluding
X.509-based mechanisms and Kerberos.

Note that I'm a big fan of the Kerberos security model and I wrote what I
believe to be the only plug-and-play Kerberos telnet client for MacOS (if
you have the right Kerberos plug-in installed&configured and the telnet
server announces support for Kerberos, it's automatically used).  But I
still don't think Kerberos makes sense as MTI.

		- Chris