Re: Revisited: effect of Start TLS on authentication state

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 01:17 PM 12/7/2003, Hallvard B Furuseth wrote:
>Kurt D. Zeilenga writes:
>>At 12:38 AM 12/6/2003, Hallvard B Furuseth wrote:
>>>> The decision to keep or invalidate the established authentication
>>>> and authorization identities in place after TLS closure is a matter
>>>> of local server policy.
>>>
>>>Why?
>> 
>> The rationale is that servers are allowed, for any reason,
>> to invalidate the LDAP association.  It makes no sense to
>> say that they cannot do that as a result of TLS closure
>> when they could do otherwise.
>
>I don't understand.

Sorry.  I only stated why servers should be free to invalid
the association in this case, but not why they should also
be free to maintain the association.  Let me do that now.

If client and server, before or after starting TLS, established
strong authentication (possibly with layers), they should not be
forced to renegotiate strong authentication.  It also would make
little sense to leave the SASL layers in place (as required by
RFC 2222) yet move the LDAP association (which those layers are
bound to) into anonymous state.  Also, it makes no sense that TLS
closure would cause such but changes to the TLS cipher suite,
say to the null cipher suite, would not.

Lastly, it is reasonable for a client which has established
strong authentication and security layers though SASL to
close TLS to reduce resource consumption.

(One case where it might be good to suggest/recommend servers
drop the LDAP association is when SASL/EXTERNAL was used and
the lower-level identity came from TLS.)