[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [AuthMeth] clarification on SASL DN AuthZ ID

To: "Roger Harrison" <RHARRISON@novell.com>
Subject: Re: [AuthMeth] clarification on SASL DN AuthZ ID
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Tue, 12 Nov 2002 21:27:08 -0800
Cc: <ietf-ldapbis@OpenLDAP.org>
In-reply-to: <sdd10821.004@prv-mail20.provo.novell.com>

At 12:52 PM 2002-11-12, Roger Harrison wrote:
>Section 4.4.1.1 of [AuthMeth] states:
>
>All servers that support the storage of authentication credentials, such as passwords or certificates, in the directory MUST support the dnAuthzId choice. The format for distinguishedName is defined in section 3 of [LDAPDN].
>
>I see two problems with this statement.

The problem I see is that this MUST is not necessary for
interoperability.

For authentication only, no authorization identity is needed.  As
discussed on the ietf-sasl list, the authorization identity SHOULD
only be provided if the client wishes to assume the identity
different from that implied by the authentication credentials.
That is, specifying an authorization identity when not doing
proxy authorization causes interoperability problems and should
be avoid.

For proxy authorization, interoperability requires that the
user know the value and form authzId expected by the server.
Servers need only to support the value and forms they expect.
If anything, we should be stating that CLIENTs which support
Proxy Authorization SHOULD support both forms so that users
can specify either.

It's my personal opinion that paragraph should be deleted.

Kurt

References:
- [AuthMeth] clarification on SASL DN AuthZ ID
  - From: "Roger Harrison" <RHARRISON@novell.com>

Prev by Date: [AuthMeth] server identity check issue
Next by Date: Re: [AuthMeth] server identity check issue
Index(es):
- Chronological
- Thread