[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP Authentication Consensus

To: Steve Kille <S.Kille@isode.com>
Subject: Re: LDAP Authentication Consensus
From: Tim Howes <howes@netscape.com>
Date: Mon, 16 Nov 1998 09:08:18 -0800
Cc: ietf-ldapext@netscape.com
References: <SIMEON.9811141149.O@heffalump.isode.com>
Resent-date: Mon, 16 Nov 1998 09:09:32 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"XDdo5.0.HI1.2n5Ks"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

While I am not totally unsympathetic to your views,
this is a topic that has been debated again and again
on the list, at the meetings, and in private. It
appears we can't come to a conclusion that satisfies
everyone, so we are taking advantage of the "rough"
part of "rough consensus". Mark and I believe strongly
that debating this further serves no purpose other
than to proliferate the use of clear-text passwords
and to keep the group from working on other things.

We believe the group has rough consensus, and
therefore we should close the debate and move
on to other things.        -- Tim

Steve Kille wrote:
> 
> Tim,
> 
> I very much like the saying that "good questions are much
> harder than good answers".
> 
> My basic difficulty is that I am not very happy with your
> question, and think that we should work first to achieve
> consensus as to what the question should be.
> 
> I think that there is a goal of having deployed LDAP
> accessed directories not use cleartext passwords, to the
> maximum extent possible, and specifying LDAP in a way which
> will most effectively enable this goal. I'd be interested
> to see if we can focus on agreeing a goal like this.   I
> think this might be the basis for the right question.
> 
> As I have said before,  I do not think that a single
> mandatory non-cleartext mechanism in LDAP is the right way
> to achieve this, and I am certain that it is  not a
> sensible goal in its own right.
> 
> The basic problem with that we have is that there does not
> appear to be a single mechanism which can be accepted for
> universal implementation, which will really work in a wide
> range of LDAP deployments.   TLS is considered too high a
> barrier.  CRAM-MD5 and the new digest mechanisms are not
> useful for large deployments.
> 
> Lets try to work at the question we are asking.
> 
> Steve
> 
> > THE PROBLEM
> >
> > LDAPv3 must specify at least one non-cleartext password
> > authentication mechanism that is mandatory to implement.
> > This way, when independent vendors go off and implement
> > products, they will be guaranteed to interoperate with
> > better-than-cleartext-password authentication. Other
> > applications can and will require other authentication
> > and security methods. This work does not preclude that.

References:
- Re: LDAP Authentication Consensus
  - From: Steve Kille <S.Kille@isode.com>

Prev by Date: Re: Status of LDIF and Changelog?
Next by Date: RE: Status of LDIF and Changelog?
Index(es):
- Chronological
- Thread