[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Simple+TLS as mandatory-to-implement (RE: Issues with current authmeth draft.)
- To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Subject: RE: Simple+TLS as mandatory-to-implement (RE: Issues with current authmeth draft.)
- From: "Ramsay, Ron" <Ron.Ramsay@ca.com>
- Date: Tue, 13 May 2003 14:38:33 +1000
- Cc: <ietf-ldapbis@OpenLDAP.org>
- Content-class: urn:content-classes:message
- Thread-index: AcMY/i/2BXmojYuITZSegWGTOSJ+MgACshpQ
- Thread-topic: Simple+TLS as mandatory-to-implement (RE: Issues with current authmeth draft.)
I guess te time for history is now passed, btu I would like to note that the date on the RFC is May 2000 and that SASL profiling is a very recent occurrence. It wpuld be interesting to hear from, say, Paul Leech, what he thought he was arguing for, or even from the authors of the RFC.
I note that LDAPbis cannot change the LDAP specification, but do you see it as possible to change the mandatory-to-implement authentication method? I note that RFC 2829 is on the Standards Track.
Ron
-----Original Message-----
From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
Sent: Tuesday, 13 May 2003 13:15
To: Ramsay, Ron
Cc: ietf-ldapbis@OpenLDAP.org
Subject: Simple+TLS as mandatory-to-implement (RE: Issues with current
authmeth draft.)
At 07:25 PM 5/12/2003, Ramsay, Ron wrote:
>I don't believe you can mandate simple/TLS!
I certainly cannot mandate it. But the IETF certainly can.
>At the time RFC 2829 was debated, a large number on the WG wanted this. They did not get their way because of the complexity of the solution. It was argued that a password-based method would be better. I think they believed it would still be DN/password, though.
I think clear from this discussion that some folks didn't
get what they thought they were getting.
If one takes the view that RFC 2829 intended DNs in DIGEST-MD5
user names, than RFC 2829 is serious broken. DNs in DIGEST-MD5
is not workable. So, it would be quite reasonable to open a
discussion on choosing a different mandatory-to-implement strong
authentication mechanism.
If one takes the view that RFC 2829 intended user name in
DIGEST-MD5 user names, then RFC 2829 just needs some clarification.
However, since significant specification and interoperability issues
exist with DIGEST-MD5, it would be reasonable here to open a
discussion on choosing a different mandatory-to-implement strong
authentication method.
At this point, I (as co-chair), consider the issue open.
Kurt