[Date Prev][Date Next]
Issues with current authmeth draft.
- To: ietf-ldapbis@OpenLDAP.org
- Subject: Issues with current authmeth draft.
- From: Mark Ennis <email@example.com>
- Date: Wed, 07 May 2003 15:28:49 +1000
- User-agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.3) Gecko/20030312
Following are some issues I encountered with the current authmeth draft
1) The phrase "inside an OCTET STRING wrapper" is ambiguous.
This phrase is from a sentence in the fourth paragraph of section 4.3:
"The credentials field contains the arbitrary data used for
authentication, inside an OCTET STRING wrapper." It appears to be
transcribed from RFC2251.
This phrase could arguably be interpreted to mean either:
i) The SASL credentials are arbitrary data stored in the
SaslCrentials.credentials OCTET STRING field, or
ii) The SASL credentials are arbitrary data in a BER encoded OCTET
STRING in the SaslCredentials.credentials OCTET STRING field, i.e. the
SaslCredentials.credentials contains BER.
Although I interpret the intention to be i), I find the wording
ambiguous and think it should be fixed, probably by simply removing this
phrase from the sentence.
2) DIGEST-MD5 authentication identity
There does not appear to be a clear statement as to the form of the
authentication identity (as opposed to authorization identity) to be
provided in the username-value of the SASL credentials for DIGEST-MD5
(or other mechanisms). I have seen examples of this value being an
arbitrary identifier such as a Unix system might use, a LDAPDN and an
3) Section 4.3.3 *Other SASL Mechanisms*
This section states "Other SASL mechanisms may be used with LDAP, but
their usage is not considered in this document.", however, the
DIGEST-MD5 mechanism has not been referenced in section 4.3 and yet,
contrary to this statement, is considered later in the document.
- Mark Ennis.