[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 10 years and no ubiquitous security

To: William Allen Simpson <wsimpson@greendragon.com>
Subject: Re: 10 years and no ubiquitous security
From: Brian Lloyd <brian@lloyd.com>
Date: Sun, 17 Mar 2002 13:12:59 -0800
Cc: ietf@ietf.org, ipsec@lists.tislabs.com
In-Reply-To: <3C8FE569.64245AC8@greendragon.com>
Sender: owner-ipsec@lists.tislabs.com

At 03:49 PM 3/13/2002, William Allen Simpson wrote:
>10 years ago tomorrow, Brian Lloyd and I had a "rubber hose" lunch
>meeting with Steve Kent, who as a member of the IAB had refused to allow
>the PPP WG to publish CHAP in our RFC as an official authentication
>protocol.  (He had previously mandated that we remove all security
>protocol negotiation.)  He backed down, but we had to change the name
>from "cryptographic" to "challenge".

Well, I am not sure it was a "rubber hose" lunch although I do remember 
being annoyed.  As I recall Steve pointed out that CHAP was not strong by 
cryptographic authentication standards and he did not want to attach a 
seal-of-approval on that basis.  As I recall, I argued that the alternative 
then in use was clear-text passwords and asked if he felt that CHAP was 
superior to that.  He did and agreed to sign-off on CHAP on that basis.  I 
understood that he wanted good cryptographic authentication but we finally 
agreed that anything better than passwords was a good thing to have.

I am not entirely sure that I would blame the failure to adopt a coherent 
set of security standards entirely on Steve Kent.

Brian Lloyd
brian@lloyd.com
+1.530.676.1113 - voice
+1.360.838.9669 - fax

References:
- 10 years and no ubiquitous security
  - From: William Allen Simpson <wsimpson@greendragon.com>

Prev by Date: Re: Choosing between IKEv2 and JFK
Next by Date: Re: 10 years and no ubiquitous security
Prev by thread: Re: 10 years and no ubiquitous security
Next by thread: RE: 10 years and no ubiquitous security
Index(es):
- Date
- Thread