Xref: utzoo comp.protocols.tcp-ip:16575 alt.security:2680 Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!zaphod.mps.ohio-state.edu!sample.eng.ohio-state.edu!purdue!haven.umd.edu!uvaarpa!murdoch!usenet From: randall@Virginia.EDU (Randall Atkinson) Newsgroups: comp.protocols.tcp-ip,alt.security Subject: Authentication & Internet Protocol Suite Message-ID: <1991Jun18.142936.5962@murdoch.acc.Virginia.EDU> Date: 18 Jun 91 14:29:36 GMT References: <6201.Jun1504.10.2091@kramden.acf.nyu.edu> <29102.Jun1800.35.2891@kramden.acf.nyu.edu> Sender: usenet@murdoch.acc.Virginia.EDU Followup-To: comp.protocols.tcp-ip,alt.security Distribution: inet Organization: University of Virginia Lines: 38 In article , Mike St. Johns writes: % The functionality of RFC931 was very limited and in any case has been % subsumed by two other very good protocols - KERBEROS and SNMP. In article <29102.Jun1800.35.2891@kramden.acf.nyu.edu>, Dan Bernstein writes: > I have nothing against Kerberos. I think it's a good start; I even wrote > some code for Kerberos v5. But the current implementation simply cannot > be used to authenticate, e.g., mail between nyu.edu and umd.edu, at > least not without a lot of work. Surely you want some authentication > outside your local network? > > I just heard about SNMP's proposed security mechanism. I don't like it. > It's ridiculously vulnerable to known-plaintext, even chosen-plaintext > attacks, especially given the stylized format of SNMP output. And it > still won't help you outside your local network unless you've exchanged > a whole bunch of keys in advance. > > I agree that RFC 931 doesn't do a whole lot. It just provides usernames. > But that's enough to stop what is by far the most common type of mail > forgery. I think that the Internet Protocol Suite does need to have viable authentication mechanisms built in to the protocols (hopefully most people agree that the current lack of authentication is a problem). I haven't read the new SNMP draft yet, but I have read the Kerberos documentation. I think Kerberos does a good job, but I'd like to see authentication supported by the basic protocols rather than relying exclusively on Kerberos addons. Also, key distribution continues to rear its ugly head (barring the arrival of inexpensive & easily obtained RSA licenses and keys). I've cross-posted this to alt.security because it is clearly of interest there as well.