[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Authentication Methods for LDAP - last call
Point for point rebuttal of John's Monday message follows:
On Mon, 3 Aug 1998, John C. Strassner wrote:
> >* Scalability comes in two forms -- many users on one server or many
> >servers with distributed rules
> [js] umm, excuse me, but there is a huge difference between the relatively
> small number of users that a single server can support and the very large
> number of users that a distributed system consisting of multiple servers
> can support.
A fast single server could easily support 200,000 user entires and that
will suffice for a large number of sites. The simplicity of managing one
server rather than managing many servers makes this desirable for
small/medium sized organizational units.
> >* CRAM-MD5 is several orders of magnitude faster than X.509.
> [js] shooting yourself in the head will probably make you die faster than
> shooting yourself multiple times in the foot - what's the point? if the
> requirement is scalability and/or being able to support large numbers of
> users for secure authentication, CRAM-MD5 won't cut it. period.
The requirements for a baseline mechanism are documented in
draft-newman-auth-mandatory-00.txt. CRAM-MD5 is intended as a replacement
for the unencrypted clear text passwords everyone is using with LDAP
today. We should not pretend it is a secure mechanism -- only that it is
sufficiently better than unencrypted clear text passwords and simple
enough that it has a chance of replacing them and making everyone safer.
> >* X.509 scales better for a distributed system than CRAM-MD5
> >
> >* CRAM-MD5 is a small burden on an implementor, X.509 is a huge burden
> [js] but undertaking security for a distributed system is a huge burden in
> and of itself. taking short cuts doesn't make this easier.
Not all LDAP uses are distributed. In fact most uses will be standalone.
Obviously we need to continue to do research on distributed authentication
technologies and nothing is stopping that.
> [js] sorry, i disagree. single-server deployments does not equal large
> deployments.
I agree. But large deployments will use something other than CRAM-MD5 so
where's the controversy? CRAM-MD5 is baseline, not the best.
> [js] I think that this needs further discussion. Kerberos, for one, seems
> to be a better choice.
Kerberos can't be used as mandatory-to-implement unless we also made it
mandatory that *every* LDAP server includes a full Kerberos domain server.
Otherwise real-world implementations can't assume Kerberos is present and
will have to use something else by default. So what else should they use?
Unencrypted clear text or CRAM-MD5?
- Chris