[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Revisited: effect of Start TLS on authentication state

To: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Subject: Re: Revisited: effect of Start TLS on authentication state
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Sat, 06 Dec 2003 12:19:13 -0800
Cc: Roger Harrison <RHARRISON@novell.com>, ietf-ldapbis@OpenLDAP.org
In-reply-to: <HBF.20031206x2su@bombur.uio.no>
References: <sfd0daef.059@prv-mail20.provo.novell.com> <HBF.20031206x2su@bombur.uio.no>

At 12:38 AM 12/6/2003, Hallvard B Furuseth wrote:
>> The decision to keep or invalidate the established authentication and
>> authorization identities in place after TLS closure is a matter of local
>> server policy.
>
>Why?

The rationale is that servers are allowed, for any reason,
to invalidate the LDAP association.  It makes no sense to
say that they cannot do that as a result of TLS closure
when they could do otherwise.

>I don't remember any threads about problems with reverting to
>anonymous on TLS closure. 

(While I recall some previous discussions in this area,) the
proposal certainly was discussed at IETF#58.  Now it's being
taken to the list.  Hopefully we'll be able to close on it soon.

>Maybe there are current servers that don't do that, so the requirement that closure revert to anonymous would be an incompatible change? 

No, because clients today have to deal with instances where
the server, at the server's will, invalidate the LDAP association.

Kurt

Follow-Ups:
- Re: Revisited: effect of Start TLS on authentication state
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

References:
- Re: Revisited: effect of Start TLS on authentication state
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: Re: Revisited: effect of Start TLS on authentication state
Next by Date: Re: Revisited: effect of Start TLS on authentication state
Index(es):
- Chronological
- Thread