[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Authentication Methods for LDAP - last call



> Now you see, this is the fun (or painful) thing about this thread.
> I can actually completely agree with your argument,

Oh, good!

> but my conclusion is completely different.

Darn.  Oh, well.

> Specifically, I would argue that CRAM-MD5 MAY be implemented in environments
> where scale and security are not a concern

Well, this is actually the issue.  The IETF says that we MUST have something
better than clear text passwords.  So, given this premise, we need to pick
something that MUST be present but it should not be a large burden to new
implementors.

CRAM-MD5 (or DAA) is self-contained (does not require any external servers),
it is well understood (code and descriptions are freely available), small
(less than 10KB of unoptimized Intel object code), and does not require
changing the information stored in the LDAP server.

> and public key based authentication MUST be implemented where they are.

I agree that where scaling is a concern, that something better is required.
And while I think that certificate based authentication is good, it is not
the only option (Kerberos V is also able to scale and is secure).

> Now, before you turn your flame thrower on, please read on.

No flame thrower for you.  I understand what you are saying and you are not
putting words in my mouth. :-)

> I take John's point suggesting that we are in an infinite rebuttal loop
> that (I hope) none of us really want.

I agree.

> Is the basis of John's suggested compromise really that difficult to swallow?

Well, if the basis is to get beyond an "infinite rebuttal loop", then "no".

> Is it simply a matter of wording?

Yes, it is a matter of wording.

> To be more specific, I am more than willing to accept the MUST for
> CRAM-MD5 and the SHOULD for public key as long as the proper caveats
> (as previously suggested) are inserted into the document.

Other than your choice of the "public key" as the term to use, (I prefer
Chris Newman's proposal, only with SHOULD instead of MUST) this is what
seems right.

It was the argument that would make certificates a MUST for LDAP that
was not palatable to me.  A full ASN.1 parser alone takes up 250KB (or
more) and then you actually have to deploy CA's and other software for
it all to work.