Re: Issues with current authmeth draft.

[Mark Ennis <mark.ennis@adacel.com>]

Roger,

I am not convinced at this stage that the text under discussion needs to 
be revised. We also have the problem that "clarification" of this text 
could lead to backward compatibility problems with pre-LDAPbis systems 
as we are potentially changing assumption on which the remaining text 
has, in the past, been interpreted. Particularly given that the text 
from the [authmeth] introduction has re-iterated the same points made in 
RFC2829 *1. Introduction*.

However, that said, I was referencing the following:

The [authmeth] text in *2. Introduction* discusses the security 
considerations for LDAP, identifying a set of basic threats and then the 
security mechanisms proposed to minimise these risks, including use of 
SASL and TLS.

The [authmeth] text in *3. Rationale for LDAPv3 Security Mechanisms* 
discusses the desirability for identities to take the form of 
distinguished names and authentication data to be stored in the 
directory. It also suggests support for non-LDAPDN authorization 
identities should be supported for backward-compatibility with 
non-LDAP-based authentication services.

- Mark.

Roger Harrison wrote:
> Mark,
>  
> Would you please  provide a pointer to the text describing the 
> "reasons... for introducing SASL mechanisms..." that you are referring 
> to so that I can make appropriate changes.
>  
> Thanks,
>  
> Roger
>
>  >>> "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> 5/12/2003 7:14:39 PM >>>
> At 05:08 PM 5/12/2003, Mark Ennis wrote:
>  >This seems counter to the reasons in RFC2829 and [authmeth] for 
> introducing SASL mechanisms, in particular, SASL DIGEST-MD5.
>
> Well then we should clarify the rationale.
>
> Kurt