[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Authentication Methods for LDAP - last call
On Wed, 5 Aug 1998, Steve Kille wrote:
> I'd like to respond briefly to your summary. To me, John Strassner's
> rebuttal of Chris Newman's message sets out clearly the case against a
> single mandtory authentication mechanism.
I didn't respond to that rebuttal because I found it uncompelling (I've
since deleted the message and can't find an archive for this list).
I find having no mandatory authentication mechanism to be entirely
unacceptable. It means that everyone will implement and use unencrypted
clear text passwords for update access. I know I don't want that
situation to continue, and I suspect you're only promoting that situation
as a result of a well-intentioned streak of idealism. Granted, if we make
CRAM-MD5 mandatory-to-implement, it might not solve the problem and
everyone might still use unencrypted clear text passwords by default, but
it has the best chance of helping that problem.
> Basic LDAP client/server interoperability can be and is achieved without
> authententication.
Only if you remove all update functionality from the specification. That
IESG disclaimer isn't going away without a mandatory-to-implement
authentication mechanism.
> If I had to pick a single mechanism it would be X.509 based. Kerberos
> would be better than CRAM-MD5.
The point of a baseline mechanism is that it's so easy everyone will do it
in addition to unencrypted clear text passwords. It doesn't have to be
perfect and it doesn't have to be scalable. It probably should be a
reasonable choice for a small/medium site with one LDAP server.
X.509 has been around for ten years and has never been successfully
deployed for client authentication on a wide scale. I suspect mandating
X.509 would be equivalent to mandating clear text passwords in practice.
Kerberos has been around for a long time as well, and the evidence shows
that it is only deployable at sites with a skilled security administrator.
Again, mandating Kerberos is equivalent to mandating clear text passwords
in practice. It has the additional problem that no implementation can use
Kerberos by default since it can't assume the presence of a Kerberos
server. What should be the default? Unencrypted clear text?
> Making CRAM-MD5 mandatory will promote an approach which a lousy choice
> for many many environments.
So we document that CRAM-MD5 is primarily suitable for single LDAP server
sites and that distributed sites should use a better mechanism. No
authentication mechanism will be viable at all sites for a long time. We
need to document this fact and choose the right set to recommend.
But please don't make clear text passwords the only authentication
mechanism that will work in all implementations. I sure hope nobody wants
that.
- Chris