At 03:49 PM 3/13/2002, William Allen Simpson wrote: >10 years ago tomorrow, Brian Lloyd and I had a "rubber hose" lunch >meeting with Steve Kent, who as a member of the IAB had refused to allow >the PPP WG to publish CHAP in our RFC as an official authentication >protocol. (He had previously mandated that we remove all security >protocol negotiation.) He backed down, but we had to change the name >from "cryptographic" to "challenge". Well, I am not sure it was a "rubber hose" lunch although I do remember being annoyed. As I recall Steve pointed out that CHAP was not strong by cryptographic authentication standards and he did not want to attach a seal-of-approval on that basis. As I recall, I argued that the alternative then in use was clear-text passwords and asked if he felt that CHAP was superior to that. He did and agreed to sign-off on CHAP on that basis. I understood that he wanted good cryptographic authentication but we finally agreed that anything better than passwords was a good thing to have. I am not entirely sure that I would blame the failure to adopt a coherent set of security standards entirely on Steve Kent. Brian Lloyd brian@lloyd.com +1.530.676.1113 - voice +1.360.838.9669 - fax