[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Revisited: effect of Start TLS on authentication state
Roger Harrison writes:
> Option 1. Keep the requirement that servers MUST not change the
> authentication and authorization state of the LDAP association when a
> security service such as Start TLS is added to the session.
OK...
> Add wording that says that servers SHOULD (MUST?) not allow the LDAP
> association to achieve authentication/authorization states that it
> will not honor across a Start TLS operation by returning a resultCode
> of confidentialityRequired for bind operations that would achieve
> these states if processed.
Some binds _before_ Start TLS should fail, just because a later Start
TLS won't like them? That makes no sense if the client isn't planning
to send Start TLS.
I prefer that servers SHOULD respond with strongAuthRequired to requests
_following_ Start TLS, until the next bind or TLS closure. Unless other
protection is already in place, like a SASL security layer.
--
Hallvard