[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Identity and TLS sessions
Gary Anderson wrote:
>
> I suspect that the choice of anonymous identity upon closure of the TLS
> session was simply one of convenience. I think that the actual
> operation should more closely resemble 2 or 4 in the above list.
>
> Can someone provide insight on why the current RFC specifies returning
> to the anonymous identity?
Because a server may have based the identity decision on the TLS or SSL
negotiation, e.g. if the client has used certificate-based
authentication and then Binds with mechanism EXTERNAL. The LDAP Bind
operation does not stack credentials.
> In light of the above, I would like to propose the following change to
> 5.5.2 of the Authentication Methods draft:
>
> Old Text:
> Closure of the TLS connection MUST cause the LDAP association to
> move to an anonymous authentication and authorization state
> regardless of the state established over TLS and regardless of the
> authentication and authorization state prior to TLS connection
> establishment.
>
> New Text:
> Upon closure of the TLS connection, the server MAY leave the LDAP
> association with any previously established authentication and
> authorization identities, or it MAY move the LDAP association to
> an anonymous authentication and authorization state. The
> authentication and authorization identities for the LDAP association
> will depend on server authentication and association identity
> policy.
Changes between a Proposed and Draft standard should be based on resolving
interoperability problems. I don't see an interoperability problem in the
current RFCs or that this change would improve interoperability between
clients which have implemented the existing RFCs.
Mark Wahl
Sun Microsystems Inc.