Re: I-D.ietf-v6ops-cpe-simple-security-10

[Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>]

On Thu, 22 Apr 2010 17:38:11 +0100
Timothy Baldwin <T.E.Baldwin99@members.leeds.ac.uk> wrote:

> Mark Smith wrote:
> > Would it be possible to make these rules a bit more general, such that
> > they'd automatically cover things like IPsec, HIP or any other current
> > (e.g. ssh) or future protocols that are authenticated, without
> > nominating the protocols specifically?
> There are many ssh servers with default or poorly chosen passwords, so
> that might not be a good idea.
> 

There are, of course, always corner cases. Passwords in themselves
aren't fundamentally very good, but in most cases we seem to persist
them them. Physical tokens, as an example of 2 factor authentication,
are a relative rarity.

CPE can't protect their users from being stupid when picking passwords.
As much as they shouldn't really have to, that role is best performed by
the point of entry of the password itself. If a protocol has the
property of authentication, then I think the CPE should trust it, and
make issues such as password quality the responsibility of the
end-nodes/end-points.

Regards,
Mark.