[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Review: IESG Agenda and Package for January 22, 2004 Telechat



> 2. Use of term 'password'
> 
> This document takes a very odd approach for the use of term password,
> especially for a security document. It starts by claiming in Section
> 1.8 that 'password' will be used in a very broad way, kind of an alias
> for 'security token'. However, this is not consistently followed and
> almost all other instances of 'password' in the document refer to the
> old good interpretation that we all knew. On the other hand, other
> types of 'passwords' like SNMP community strings get special treatment
> in some sections.

SNMP community strings are not passwords.  A better analogy is that a
SNMP community string is like a groupname to which multiple users
belong.  RFC 1157 says:

   An SNMP message originated by an SNMP application entity that in fact
   belongs to the SNMP community named by the community component of
   said message is called an authentic SNMP message.  The set of rules
   by which an SNMP message is identified as an authentic SNMP message
   for a particular SNMP community is called an authentication scheme.
   ...  Some SNMP implementations may wish to support only a trivial
   authentication service that identifies all SNMP messages as
   authentic SNMP messages.

So, with trivial authentication, the community string identifies a group
of originators, and any message which correctly identifies the group is
automatically authentic.

Keith.