[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: [AuthMeth] clarification on SASL DN AuthZ ID
At 06:42 PM 2/28/2003, Roger Harrison wrote:
>Kurt,
>
>To address your comments on this, in the -05 version I will replace this text:
>
>"All servers that support the storage of authentication credentials, such as passwords or certificates, in the directory MUST support the dnAuthzId choice. The format for distinguishedName is defined in section 3 of [LDAPDN]."
>
>With this:
>
>"The dnAuthzId choice allows client applications to assert authorization identities in the form of a distinguished name. The decision to allow or disallow an authentication identity to have access to the requested authorization identity is based on implementation defined policy ([SASL] section 4.2). For this reason there is no requirement that the asserted dn be that of an entry in directory."
>
>Does this sound reasonable to you?
Yes, except s/based on implementation defined/a matter of local/.
Kurt
>
>Roger<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
>
>>>> "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> 11/12/2002 10:27:08 PM >>>
>At 12:52 PM 2002-11-12, Roger Harrison wrote:
>>Section 4.4.1.1 of [AuthMeth] states:
>>
>>All servers that support the storage of authentication credentials, such as passwords or certificates, in the directory MUST support the dnAuthzId choice. The format for distinguishedName is defined in section 3 of [LDAPDN].
>>
>>I see two problems with this statement.
>
>The problem I see is that this MUST is not necessary for
>interoperability.
>
>For authentication only, no authorization identity is needed. As
>discussed on the ietf-sasl list, the authorization identity SHOULD
>only be provided if the client wishes to assume the identity
>different from that implied by the authentication credentials.
>That is, specifying an authorization identity when not doing
>proxy authorization causes interoperability problems and should
>be avoid.
>
>For proxy authorization, interoperability requires that the
>user know the value and form authzId expected by the server.
>Servers need only to support the value and forms they expect.
>If anything, we should be stating that CLIENTs which support
>Proxy Authorization SHOULD support both forms so that users
>can specify either.
>
>It's my personal opinion that paragraph should be deleted.
>
>Kurt