[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: protocol: new SASL layers

To: ietf-ldapbis@OpenLDAP.org
Subject: Re: protocol: new SASL layers
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Wed, 30 Apr 2003 14:57:14 -0700
In-reply-to: <5.2.0.9.0.20030430135114.02a35608@127.0.0.1>

Additionally, it should be made clear in the technical specification
that SASL layers, once installed in a session, can be replaced with
new SASL layers (after appropriate SASL negotiation) but cannot be
de-installed.   That is, completing DIGEST-MD5 authentication with
layers followed by a simple bind does not cause the layers to be
de-installed.

Kurt

At 02:17 PM 4/30/2003, Kurt D. Zeilenga wrote:
>I believe this text should be deleted.
>>   If a SASL transfer encryption or integrity mechanism has been negotiated,
>>   that mechanism does not support the changing of credentials from one
>>   identity to another, then the client MUST instead establish a new
>>   connection.
>
>Each SASL negotiation is, generally, independent of other SASL
>negotiations.  If there were dependencies between multiple
>negotiations of a particular mechanism, the mechanism technical
>specification should detail how applications are to deal with
>them.  LDAP should not require any special handling.  And if
>an LDAP client had used such a mechanism, it would have the
>option of using another mechanism.
>
>Comments?
>
>Kurt

References:
- protocol: new SASL layers
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: protocol: new SASL layers
Index(es):
- Chronological
- Thread