[Date Prev][Date Next]
Re: Comments about draft-ietf-ldapbis-authmeth-06.txt
- To: Roger Harrison <RHARRISON@novell.com>
- Subject: Re: Comments about draft-ietf-ldapbis-authmeth-06.txt
- From: Alexey Melnikov <Alexey.Melnikov@isode.com>
- Date: Wed, 08 Oct 2003 18:54:18 +0100
- Cc: ietf-ldapbis@OpenLDAP.org
- In-reply-to: <firstname.lastname@example.org>
- References: <email@example.com>
- User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
Roger Harrison wrote:
> >4.2.3. TLS Connection Closure Effects
> > Closure of the TLS session MUST cause the LDAP association to move
> > to an anonymous authentication and authorization state regardless of
> > the state established over TLS and regardless of the authentication
> > and authorization state prior to TLS session establishment.
> Ok, this was discussed before, so I might be missing some context.
> But is there any good reason for this?
This has been discussed before. Leaving the authorization state
unchanged isn't feasible because it could open security holes (high
level of authorization with lack of TLS protection). The best I can
tell, there are really only two reasonable alternatives:
1. restore the authorization state that existed just prior to
initiation of TLS session establish
2. go to anonymous authorization state
#1 may be difficult for servers to implement, so #2 was chosen as the
default action. It also guarantees a well-known state upon TLS closure.
I think you should add the explanation you gave me to the document.
The reason why I've asked this questions is as follows. Imagine that the
client used TLS and than authenticated using GSSAPI (Kerberos) or
Then the client decides to close TLS. Why is suddenly authentication
information is invalid, it wasn't derived from TLS information in the
This is just an unexpected behavior.
I guess the answer to this might be "Doctor, it hurts when I do this." -
"Don't do this".
Isode Limited, http://www.isode.com
Cell: +44 7753759732
IETF standard related pages:
Personal Home Page: http://orthanc.ab.ca/mel