[Date Prev][Date Next]
Re: [AuthMeth] clarification on SASL DN AuthZ ID
At 12:52 PM 2002-11-12, Roger Harrison wrote:
>Section 188.8.131.52 of [AuthMeth] states:
>All servers that support the storage of authentication credentials, such as passwords or certificates, in the directory MUST support the dnAuthzId choice. The format for distinguishedName is defined in section 3 of [LDAPDN].
>I see two problems with this statement.
The problem I see is that this MUST is not necessary for
For authentication only, no authorization identity is needed. As
discussed on the ietf-sasl list, the authorization identity SHOULD
only be provided if the client wishes to assume the identity
different from that implied by the authentication credentials.
That is, specifying an authorization identity when not doing
proxy authorization causes interoperability problems and should
For proxy authorization, interoperability requires that the
user know the value and form authzId expected by the server.
Servers need only to support the value and forms they expect.
If anything, we should be stating that CLIENTs which support
Proxy Authorization SHOULD support both forms so that users
can specify either.
It's my personal opinion that paragraph should be deleted.