From: Jeffrey Schiller <jis@mit.edu>
Date: Mon, 28 Feb 2000 02:19:14 GMT
Subject: Re: draft-ietf-ldapext-x509-sasl
To: Patrik Fältström <paf@swip.net>
CC: Jeffrey Schiller <jis@mit.edu>, Steve Coya <scoya@ietf.org>, jis@mit.edu,
mleech@nortelnetworks.com, moore@cs.utk.edu
I should have my latest round of comments tonight or tomorrow.
However we have a fundamental disagreement hiding (or not) here. My
basic problem with the document is that it proposes a fairly heavy
weight authentication mechanism (using public key cryptography and a
certificate hierarchy) and then tosses away all of the advantages.
One clear example is that this mechanism claims that it can be used
through proxies. Yet there is no way specified to authenticate that
the proxy is in fact a proxy and not an attacker who is inserting
himself in the data path and observing and modifying data going from
client to server. If this kind of thing is allowed, then what is the
point of having the security... so you can say so?
-Jeff
Original Message <<<<<<<<<<<<<<<<<<
On 2/25/00, 7:21:13 PM, Patrik Fältström <paf@swip.net> wrote regarding
Re: draft-ietf-ldapext-x509-sasl:
--On 2000-02-25 17.10 +0000, Jeffrey Schiller <jis@mit.edu> wrote:
> Yep, big problems. This is the document I mentioned on the call
> yesterday. It should not be published.
Can you please then be the one suggesting text to be sent to the
ldapext wg?
paf