Re: increasing complexity - draft-ietf-ldapext-acl-model-08.txt

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

My suggestion the ACM not support authentication level nor mechanism.
We've going through this discussion multiple times now and its seems
that we're not going to reach consensus as to which to support in
the ACM.

        Kurt

At 08:02 AM 7/6/2001, Steinitz, Dominic J wrote:
>We prefer authentication method to authentication strength. This allows different organisations to make their own choice about what is acceptable for a particular application.

What does SIMPLE mean plain simple bind or simple bind over TLS?
What does SASL mean?
What does EXTERNAL mean?
What does DIGEST-MD5 mean?  (auth only?  auth-int? auth-conf?)
What does GSSAPI mean?  w/ pre-auth?  w/o pre-auth?

>Why force authentication methods to have strengths relative to each other? 

We're categorizing uses of methods (not that method strength
depends on use) based upon what attacks they are prone to.

>This is a general security question not one that is just applicable to ldap.

But answers may not be.

>Experience has shown us that giving each authentication method a strength is unnecessarily constraining.

Experience has shown us that users (or administrators) do not
understand the complexity of security.

>It is better to leave an organisation to make the decision about which methods are acceptable.

Users do not have a clue of what methods they are using let alone
which methods they should be using (and most admins don't either).

Kurt