On early systems on AS/400 and VAX platforms, the OS kernel maintained very strong controls over password security. These controls include:
I was very disappointed to find these types of "basic" controls missing from Netscape Enterprise Server 2. The last thing I want is to have application developers writing password-control programs. Yet I do not see these issues being addressed by anyone, because the entire emphasis is on Internet security and firewalls. My application is for internal corporate use only, so I do not have to worry about firewalls. You have to first log onto the corporate network as a trusted user before you can attempt to access my or any other internal application.
I am trying to get Memco and Netscape to work together and create an API that will allow for proper password control. I would like to see these issues raised as a basic requirement before we look to certificate servers and encryption key length.
Martin Weinberg
Chase Manhattan Bank
weinber@cbc.com
Your points are very valid and well taken. Most of the database vendors are grafting their security directly onto their Internet/Intranet database middleware, which can provide the security features you mentioned. Therefore, covering this information might not be as informative as describing new technology that is unfamiliar to people. Custom client applications, such as those you seem to be describing, have a more difficult time. The long-term solutions for these problems might be found in the new object technologies such as DCOM and CORBA (when linked with Kerberos authentication). Grafting system kernel security onto the Internet is quite problematic, as most vendors have found. Also, building client programs with the new Java and ActiveX tools will access the current database security options. I encourage you to create a proposal for such an API. If there are enough other users that value such a solution, you may create a new Internet standard.
-- Dan Rahmel