[Date Prev][Date Next] [Chronological] [Thread] [Top]

authmeth-08 comments

To: ietf-ldapbis@OpenLDAP.org
Subject: authmeth-08 comments
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Tue, 28 Oct 2003 18:33:20 +0100

> 3. Bind Operation 
>     
>   The Bind operation defined in section 4.2 of [Protocol] allows 
>   authentication information to be exchanged between the client and 
>   server to establish a new LDAP association.
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

I would say '...to replace the old LDAP association with a new one',
otherwise it looks too much like creaing a new connection.

> 3.2. Simple Authentication  

Why was the mention of cleartext passwords removed here?  Now the only
mention of cleartext passwords is in Security Considerations, but
without mentioning that Simple Authentication uses them.

> 3.3.5. Rules for using SASL security layers 

>   If the client is configured to support multiple SASL mechanisms, it 
>   SHOULD fetch the supportedSASLmechanisms list both before and after 
>   the SASL security layer is negotiated. This allows the client to 
>   detect active attacks that remove supported SASL mechanisms from the 
>   supportedSASLMechanisms list and allows the client to ensure that it 
>   is using the best mechanism supported by both client and server. (In 
>   particular, this allows for environments where the 
>   supportedSASLMechanisms list is provided to the client through a 
>   different trusted source, e.g. as part of a digitally signed 
>   object.) 

This ()'ed text is misleading, I liked the original better.  It isn't
what the client SHOULD do which allows for what the () says, but that it
may ignore the SHOULD.  You could say something like this:

    (Though it need not re-fetch supportedSASLMechanisms in
    environments where the supportedSASLMechanisms list was provided to
    the client through a different trusted source, e.g. as part of a
    digitally signed object.)

> 3.4.1. Authorization Identity Syntax 
>   The authorization identity is a string of [UTF-8] encoded [Unicode] 
>   (...)
>   is defined as only a sequence of of [UTF-8] encoded [Unicode] 

I don't know if this will happen, but the text "UTF-8" is lost if the
RFC Editor replaces [UTF-8] with [RFCnnnn].  If so, you need to write
'UTF-8 [UTF-8]'.

The same applies to '[TLS]' and '[PLAIN]' various places in the document.

BTW, remove an "of" in "of of".

> 4.1.5. Server Identity Check 

>     - The client MUST use the server provided by the user (or other 
>       trusted entity) as the value to compare against the server name 

I'm not sure why you deleted 'hostname' after 'server' in the first line
here, but shouldn't it at least be 'server name'?


BTW, should I go through my 'authmeth-07 issues' message and list the
ones that are still outstanding?

-- 
Hallvard

Prev by Date: Authmeth: IPv6
Next by Date: Re: Authmeth: IPv6
Index(es):
- Chronological
- Thread