[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Authentication Methods for LDAP - last call
> > * CRAM-MD5 is several orders of magnitude faster than X.509.
>
> [js] shooting yourself in the head will probably make you die faster than
> shooting yourself multiple times in the foot - what's the point? if the
> requirement is scalability and/or being able to support large numbers of
> users for secure authentication, CRAM-MD5 won't cut it. period.
The point is that some people manufacture small devices that don't have
much CPU horsepower or bandwidth for trying to deal with X.509 and all
the overhead involved. LDAP should not be concerned just with trying
to scale to the world, it should also be concerned with working in a
small home office, that does not want to set up a CA and all the other
certificate infrastructure (or Kerberos server) just to enjoy the benefits
of LDAP and active directories.
> >* CRAM-MD5 scales better for many users on one server than X.509
>
> [js] see above.
No, see reality.
Not everyone is using 400MHz Pentium II processors - some are using good
old MC68302 processors. Think embedded systems.
Not everyone who uses LDAP cares about X.509 certificates and certificate
revocation list processing and global infrastructure. They care about
lightweight (small memory footprint and low CPU overhead) applications
for localized information.
> >* X.509 scales better for a distributed system than CRAM-MD5
> >
> >* CRAM-MD5 is a small burden on an implementor, X.509 is a huge burden
>
> [js] but undertaking security for a distributed system is a huge burden in
> and of itself. taking short cuts doesn't make this easier.
Most people don't care about security. They care about capability.
The IETF has decided that ignoring security is a bad idea. This is
good, but for applications or environments which don't require it,
there should not be a large penalty for the required minimum security.
> [js] I think that this needs further discussion. Kerberos, for one, seems
> to be a better choice.
Plan for the lowest common denominator - do you really expect everyone
in the world to install and administer Kerberos just to use LDAP?