[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Revisited: effect of Start TLS on authentication state

To: Roger Harrison <RHARRISON@novell.com>
Subject: Re: Revisited: effect of Start TLS on authentication state
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Fri, 14 Nov 2003 17:19:33 +0100
Cc: ietf-ldapbis@OpenLDAP.org
In-reply-to: <sfb4122f.044@prv-mail20.provo.novell.com>
References: <sfb4122f.044@prv-mail20.provo.novell.com>

Roger Harrison writes:
> Option 1. Keep the requirement that servers MUST not change the
> authentication and authorization state of the LDAP association when a
> security service such as Start TLS is added to the session.

OK...

> Add wording that says that servers SHOULD (MUST?) not allow the LDAP
> association to achieve authentication/authorization states that it
> will not honor across a Start TLS operation by returning a resultCode
> of confidentialityRequired for bind operations that would achieve
> these states if processed.

Some binds _before_ Start TLS should fail, just because a later Start
TLS won't like them?  That makes no sense if the client isn't planning
to send Start TLS.

I prefer that servers SHOULD respond with strongAuthRequired to requests
_following_ Start TLS, until the next bind or TLS closure.  Unless other
protection is already in place, like a SASL security layer.

-- 
Hallvard

References:
- Revisited: effect of Start TLS on authentication state
  - From: "Roger Harrison" <RHARRISON@novell.com>

Prev by Date: Re: unauthenticated bind
Next by Date: Re: unauthenticated bind
Index(es):
- Chronological
- Thread