[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Comments about draft-ietf-ldapbis-authmeth-05.txt

To: Alexey Melnikov <Alexey.Melnikov@isode.com>
Subject: Re: Comments about draft-ietf-ldapbis-authmeth-05.txt
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Wed, 13 Aug 2003 11:08:15 -0700
Cc: "Ramsay, Ron" <Ron.Ramsay@ca.com>, LDAPBis WG <ietf-ldapbis@OpenLDAP.org>
In-reply-to: <3F3A5615.5010605@isode.com>
References: <5.2.0.9.0.20030813071436.01c1ec78@127.0.0.1> <1395B4B334FCC143B36AF788E68B638160BC40@ausyms21.ca.com> <1395B4B334FCC143B36AF788E68B638160BC40@ausyms21.ca.com> <5.2.0.9.0.20030813071436.01c1ec78@127.0.0.1>

At 08:15 AM 8/13/2003, Alexey Melnikov wrote:
>Kurt D. Zeilenga wrote:
>
>>At 06:14 AM 8/13/2003, Alexey Melnikov wrote:
>> 
>>
>>>I suggest that some text about the issue should be included in draft-ietf-ldapbis-authmeth.
>>>   
>>
>>If authmeth says anything about DNs and DIGEST-MD5, it should say
>>that the DIGEST-MD5 username and realm fields are, per the DIGEST-MD5
>>TS,
>Can you point me to the section where DIGEST-MD5 says that.

The DIGEST-MD5 TS [RFC2831] defines a username to be the user's
name (account) in a realm where the realm is a collection of names
(accounts), both have the form of a simple string and are to be
compared as simple strings.

>>syntactically and semantically not DNs.  They are syntactically
>>and semantically simple usernames and realms, respectively.
>I disagree. DIGEST-MD5 doesn't say anything about syntax of username or realm,

DIGEST-MD5 defines the syntax of the username and realm using ABNF.

>so it definitely allows for DN syntax.

It allows usernames that **look like** a string representation of a DN to
appear in the protocol, but they are not DNs to the protocol.  They
are usernames to the protocol.  One can have a realm that looks like
a domain name, but to the protocol its a realm.  The username is matched
per the username matching rules and not DN matching rules and the realm
is matched per realm matching rules and not domain matching rules.

>And because there is no common definition of "simple username" I would argue that a DN can be considered one for LDAP ;-).

There is a common definition, it's a "simple user name", e.g. an
account name.  A DN doesn't name a user, it names a entry.

>(On a related note, I've seen IMAP servers that have used DNs as usernames).

Did these IMAP servers allow all equivalent string representations
of the DN which referred to a user to be used as equivalent usernames in
DIGEST-MD5?  If no, then obviously the IMAP server didn't support
DNs as usernames.  It supported usernames which **looked like** DN
strings.

Kurt

Follow-Ups:
- Re: Comments about draft-ietf-ldapbis-authmeth-05.txt
  - From: Alexey Melnikov <Alexey.Melnikov@isode.com>

References:
- Re: Comments about draft-ietf-ldapbis-authmeth-05.txt
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- RE: Comments about draft-ietf-ldapbis-authmeth-05.txt
  - From: "Ramsay, Ron" <Ron.Ramsay@ca.com>
- Re: Comments about draft-ietf-ldapbis-authmeth-05.txt
  - From: Alexey Melnikov <Alexey.Melnikov@isode.com>

Prev by Date: Re: Comments about draft-ietf-ldapbis-authmeth-05.txt
Next by Date: RE: Comments about draft-ietf-ldapbis-authmeth-05.txt
Index(es):
- Chronological
- Thread