Re: New XAUTH draft

[Dan Harkins <dharkins@network-alchemy.com>]

On Thu, 30 Sep 1999 16:40:14 EDT you wrote
> 
> So perhaps the next question is: is there consensus that this threat
> is so serious that XAUTH has no meaningful applicability in the real
> world?  If so, then of course the draft can't proceed.  But if the
> consensus is that there are enough real world applications that can
> live with this threat, then the draft can and should proceed as it
> stands.

I'd like to respectfully call for a postponement of that call for
consensus. At least until a viable alternative to XAUTH has been
presented to the WG and, as I said, it'll be out RSN (the less time
I spend on this thread the more I spend on the draft).

You've drawn boxes around the problems I described and want to say,
in effect, well they might not be serious for all people and so XAUTH
is fine for people not worried about that problem. But if there was
a protocol which did not have these problems (and I'm frankly amused
at how these problems are pooh-poohed in XAUTH whereas most any other
_security_ protocol would get shot down in a barrage of bullets) but 
satisfied the main goal in XAUTH-- that is, selling customers something 
that uses token cards-- would it not be preferable?

This draft will be released well in advance of the DC IETF so people
will have ample opportunity to read it and compare it to XAUTH, throw
darts, etc. Then we can call for consensus.

  Dan.

---

References:

• Re: New XAUTH draft
• From: Paul Koning <pkoning@xedia.com>

---

• Prev by Date: Re: New XAUTH draft
• Next by Date: Re: New XAUTH draft
• Prev by thread: Re: New XAUTH draft
• Next by thread: Re: New XAUTH draft
• Index(es):
  • Main
  • Thread