[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Authentication Methods for LDAP - last call
I agree with John - this seems like a reasonable compromise.
I do have one additional question/request for clarification:
What impact will Steve Kille's proposal for an X.509-based
SASL mechanism have on the current document - namely
Section 9?
Also, for those of us that are interested in the use of Certificate based
authentication, is it appropriate to consider drafting
Certificate processing rules in support of the access control
function? I volunteer to help spearhead such an effort if there
is sufficient interest.
Cheers,
Steve Lloyd
Entrust Technologies
steve.lloyd@entrust.com
613-247-3182
> ----------
> From: John C. Strassner[SMTP:johns@cisco.com]
> Sent: Wednesday, August 05, 1998 7:10 PM
> To: Chris Newman; John C. Strassner
> Cc: Steve Kille; ietf-ldapext@netscape.com
> Subject: Re: Authentication Methods for LDAP - last call
>
> Good grief. The argument set forth by you and some others essentially says
> don't worry about mass deployments, or the Internet, or real businesses
> that have more than ONE server, use a (by your own admission) weak
> security
> mechanism (CRM-MD5) because it is simpler to implement and better than
> passing clear text. This is bordering on the absurd. You will never
> convince me, Steve, Paul, and others that work on distributed systems of
> this argument.
>
> On the other hand, I do see your point that for certain well-controlled
> implementations CRAM-MD5 might be good enough. Fine. Let's end the madness
> and stop wasting bandwidth. How about this for a compromise:
>
> Add text to the draft that divides the deployment of LDAP into two types:
> one for businesses that use one (or perhaps a small number) of servers,
> and
> one that implements a distributed system of many servers. For the former,
> specify that mandatory to implement is CRAM-MD5, and for the latter,
> specify that mandatory to implement is either a certificate-based system
> or
> Kerberos.
>
> Otherwise I think that we will just continue to trade "point-for-point
> rebuttals" which don't lead anywhere. As an example, I will rebut your
> rebuttal, and I'm sure that soon you will rebut my rebuttal, and then
> other
> people will get into the act. This is stupid.
>
> So how about it? I'm willing to compromise, and I think that this
> compromise captures the best of both positions. How about you?
>
> Tim, comments?
>
> John
>
> Of course passing clear text At 03:22 PM 8/5/98 -0700, Chris Newman wrote:
> >Point for point rebuttal of John's Monday message follows:
> >
> >On Mon, 3 Aug 1998, John C. Strassner wrote:
> >> >* Scalability comes in two forms -- many users on one server or many
> >> >servers with distributed rules
> >> [js] umm, excuse me, but there is a huge difference between the
> relatively
> >> small number of users that a single server can support and the very
> large
> >> number of users that a distributed system consisting of multiple
> servers
> >> can support.
> >
> >A fast single server could easily support 200,000 user entires and that
> >will suffice for a large number of sites. The simplicity of managing one
> >server rather than managing many servers makes this desirable for
> >small/medium sized organizational units.
>
> [js] But the obvious problem is that many sites of less people than
> 200,000
> people have multiple servers - what do they do? Worse, most of these sites
> have these multiple servers distributed in different geographic locations
> and can NOT implement a single master system (are you seriously going to
> suggest that a multinational organization can't update their directory
> because their (slow) WAN link is down?).
>
> >> >* CRAM-MD5 is several orders of magnitude faster than X.509.
> >> [js] shooting yourself in the head will probably make you die faster
> than
> >> shooting yourself multiple times in the foot - what's the point? if the
> >> requirement is scalability and/or being able to support large numbers
> of
> >> users for secure authentication, CRAM-MD5 won't cut it. period.
> >
> >The requirements for a baseline mechanism are documented in
> >draft-newman-auth-mandatory-00.txt. CRAM-MD5 is intended as a
> replacement
> >for the unencrypted clear text passwords everyone is using with LDAP
> >today. We should not pretend it is a secure mechanism -- only that it is
> >sufficiently better than unencrypted clear text passwords and simple
> >enough that it has a chance of replacing them and making everyone safer.
>
> [js] I would never recommend passing unencrypted clear text passwords.
> In that respect, CRAM-MD5 is better. That's why I tried the compromise.
>
> >> >* X.509 scales better for a distributed system than CRAM-MD5
> >> >
> >> >* CRAM-MD5 is a small burden on an implementor, X.509 is a huge burden
> >> [js] but undertaking security for a distributed system is a huge burden
> in
> >> and of itself. taking short cuts doesn't make this easier.
> >
> >Not all LDAP uses are distributed. In fact most uses will be standalone.
> >Obviously we need to continue to do research on distributed
> authentication
> >technologies and nothing is stopping that.
>
> [js] Right, but not all deployments can be single-server (or even a "few"
> servers because of geographic location restrictions and other factors.
> Again, that's why I proposed the compromise.
>
> >> [js] sorry, i disagree. single-server deployments does not equal large
> >> deployments.
> >
> >I agree. But large deployments will use something other than CRAM-MD5 so
> >where's the controversy? CRAM-MD5 is baseline, not the best.
>
> [js] Simply that having a mandatory to implement CRAM-MD5 for a
> distributed
> system when we know that it can't work is a waste of time.
>
> >> [js] I think that this needs further discussion. Kerberos, for one,
> seems
> >> to be a better choice.
> >
> >Kerberos can't be used as mandatory-to-implement unless we also made it
> >mandatory that *every* LDAP server includes a full Kerberos domain
> server.
> >Otherwise real-world implementations can't assume Kerberos is present and
> >will have to use something else by default. So what else should they
> use?
> >Unencrypted clear text or CRAM-MD5?
> >
> > - Chris
> >
> [js] Whichever the needs of the deployment has. Just please don't force me
> to implement CRAM-MD5 for a distributed system, and I won't force you to
> implement Kerberos or X.509 certs for a single server system.
>