At 03:49 PM 3/13/2002, William Allen Simpson wrote:
10 years ago tomorrow, Brian Lloyd and I had a "rubber hose" lunch
meeting with Steve Kent, who as a member of the IAB had refused to allow
the PPP WG to publish CHAP in our RFC as an official authentication
protocol. (He had previously mandated that we remove all security
protocol negotiation.) He backed down, but we had to change the name
from "cryptographic" to "challenge".
Well, I am not sure it was a "rubber hose" lunch although I do remember
being annoyed. As I recall Steve pointed out that CHAP was not strong by
cryptographic authentication standards and he did not want to attach a
seal-of-approval on that basis. As I recall, I argued that the alternative
then in use was clear-text passwords and asked if he felt that CHAP was
superior to that. He did and agreed to sign-off on CHAP on that basis. I
understood that he wanted good cryptographic authentication but we finally
agreed that anything better than passwords was a good thing to have.
I am not entirely sure that I would blame the failure to adopt a coherent
set of security standards entirely on Steve Kent.
Brian Lloyd
brian(_at_)lloyd(_dot_)com
+1.530.676.1113 - voice
+1.360.838.9669 - fax