[Date Prev][Date Next] [Chronological] [Thread] [Top]

Intro issues (Was: authmeth review notes [long])

To: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Subject: Intro issues (Was: authmeth review notes [long])
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Thu, 11 Mar 2004 17:52:07 -0800
Cc: ietf-ldapbis@OpenLDAP.org
In-reply-to: <HBF.20040309eff@bombur.uio.no>
References: <6.0.1.1.0.20040227070642.04cd3330@127.0.0.1> <HBF.20040309eff@bombur.uio.no>

At 10:09 AM 3/9/2004, Hallvard B Furuseth wrote:
>>>    (2) Client authorization by means of access control based on the
>>>        requestor's authenticated identity,
>>
>> Given that LDAP doesn't offer an authorization (access control)
>> model, this seems dubious (even with the note below).  However, I
>> don't have a suggestion (at the moment) on how to better address
>> this.
>
>Put "Servers are expected to support" in front of the sentence?

I don't think servers are necessarily expected to support a means of
access control.  There are, after all, servers which do not support
any form of authentication.  But more importantly, this list is of
security services LDAP provides.  I don't think LDAP provide this
expectation and, even if it did, it's only an expectation.

>>>    Given the presence of the Directory, there is a strong desire to see
>>>    mechanisms where identities take the form of an LDAP distinguished
>>>    name [LDAPDN] and authentication data can be stored in the
>>>    directory.
>>
>> s/see/use/
>> s/take the form of an LDAP distinguished name/
>> s/are represented as distinguished names [X.501][Models] in string
>> form [LDAPDN]/.
>
>>>                This means that this data must be updated outside the
>>>    protocol or only updated in sessions well protected against
>>>    snooping.
>>
>> s/snooping/eavesdropping/ (use RFC2828 term)
>
>This sentence has nothing to do with DN identities and authentication
>data in the directory.  It also applies if the server supports an
>extended operation to modify passwords stored outside the directory,
>with non-DN identities.  I think it belongs in Section 11 - unless

This section is introductory.  It's providing some background as to
why particular security services are offered and why particular
applicability statements have been made.  Section 11 is basically
stating a security consideration.

So, I don't think this introductory/background information should be
moved.  (This is not to say additional security considerations should
or shouldn't be stated.)

>Section 11 is modified to only talk about authentication, like Kurt
>suggested in thread 'authmeth: passwords in the clear', message
><http://www.openldap.org/lists/ietf-ldapbis/200402/msg00086.html>:-)
>Also, it applies to any sensitive data, not just authentication data.
>So I'm not sure that it is any need to mention this special case at all.
>
>>>                It is also desirable to allow authentication methods to
>>>    carry identities not represented as LDAP DNs that are familiar to
>>>    the user or that are used in other systems.
>>
>> suggest:
>>       It is also desirable to allow authentication methods to
>>       carry identities (other than DNs) that are familiar to the
>>       user or that are used in other systems.
>
>...and also to authenticate against existing credentials maintained and
>stored outside the LDAP installation.

It can be argued that "used" encompasses both "maintained" and "stored".

References:
- Re: authmeth review notes [long]
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: Re: authmeth: passwords in the clear
Next by Date: Re: SASL mechanisms that return no data in last leg
Index(es):
- Chronological
- Thread