[JDEV] digest and ldap and authentication

Appleweed appleweed at indigenoustech.com
Tue Aug 1 23:49:58 CDT 2000 

I must say that every time I get into a discussion about security models my 
mind starts to shut-down.

That being said, I thought I'd add my (2.0 x 10 ^ -2) cents in before I 
fall asleep in my chair. (I just had dinner with a friend of mine who 
finally left the security industry after 5 years with a software firm.)

... Beyond a server implementation of SSL, I wonder if any other 
implementation should not be a client issue; one of specific application. 
For instance, a few have spoken about an e-commerce application using 
Jabber. This invariably will need at least SSL. If it needed something 
more, why implement it as part of a Jabber release? It would only be used 
by one or a limited number of apps making Jabber a bit more like bloatware. 
Does Jabber need to be all things to all applications?

Also, my friend with the security fixation pointed out that "security" in 
our case has two real sides: "security" in the sense of encrypted messaging 
and "security" in the sense of authentication. Both may not be necessary 
for all possible applications depending on one's (or "your" ;-) viewpoint. 
This is especially true when you weigh the consequences of overhead when 
you deploy one of these security models. PGP, for instance, would not be so 
fun while you wait around for keys to be generated in an "instant 
messaging" scenario. (ie, PGP is damn slow for this).

Oh well, it's late. I'm tired. Hope something here made sense. :)

-Omar Abdelwahed

-----Original Message-----
From:	mark at mjwilcox.com [SMTP:mark at mjwilcox.com]
Sent:	Tuesday, August 01, 2000 11:06 PM
To:	jdev at jabber.org
Subject:	Re: [JDEV] digest and ldap and authentication

On 1 Aug 00, at 9:05, Donn Cave wrote:

> Quoth mark at mjwilcox.com:
> | On 31 Jul 00, at 17:21, Donn Cave wrote:
> ...
> |> The main point though is the application services.  Something like
> |> SSL is fine if you either have one password per service, or you
> |> have all the services in one central trusted site.  If you have
> |> a site wide password, and a service supported somewhere outside
> |> its central computing facility, you have at best added to the
> |> number of people you have to trust.  (Mainly that means, trusting
> |> in their competence to avoid being hacked.)  At my site, a good
> |> example would be a Jabber server on a PC in a dormitory room.
> |> Kerberos makes it possible for that server to function in the
> |> campus system, everyone can use their regular IDs without having
> |> to consider that issue.
>
> | This is a good point, but until Kerberos is everywhere, there's not
> | much you can do about it.
>
> Not much I can do about what?  Did you mean to sound so passive?
I mean you as in a general plurality. Perhaps general populace,
etc. would have been a better term. What I mean is that SSL is
much more widespread than Kerberos and it's likely going to
remain that way for a long time. IT doesn't matter that Kerberos is
a much better authentication system, because it just isn't widely
deployed.

Mark
>
> 	Donn Cave, donn at u.washington.edu
>
>
> _______________________________________________
> jdev mailing list
> jdev at jabber.org
> http://mailman.jabber.org/listinfo/jdev
>
>


Mark Wilcox
mark at mjwilcox.com
Got LDAP?

_______________________________________________
jdev mailing list
jdev at jabber.org
http://mailman.jabber.org/listinfo/jdev

More information about the JDev mailing list