Re: appropriateness of combination of controls (new suggestion)

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

The semantics of most combinations of controls are unspecified.
While I would agree that existing implementations do implement
some combinations of controls whose semantics are unspecified, I
hope they have done so only after fully considering the implications.
In particular, I would hope servers only viewed a control
appropriate for the operation if the semantics of the operation
(as extended by that and other controls) were clear to the
implementors of the server and the clients the server was intended
to interact with.

I believe that existing implementations, when faced with a
combination of two non-critical controls they believe to have
mutually-exclusive semantics, will ignore one or both of the
controls instead of failing the operation.  It's my view this is
what RFC 2251 intended servers to do when it repeatedly used the
language "appropriate for the operation".  (If you know of servers
which behave differently, I'd be interested in details.)

My view is that the most reasonable answer to:
  When is a control "appropriate for the operation"?
is:
  When the specification of the control states that it is.

The question as to whether a particular specification is clear
enough and/or explicit enough it this statement, or otherwise
adheres to current practices, should be discussed in review of
document detailing it... and possibly as part of a review of
a document detailing best current practices in this area.
(And where we find existing specifications not to be up to
snuff here, we should revise them.)

At 09:56 AM 5/14/2004, Jim Sermersheim wrote:
>I think we're getting overly wordy with all this.

Though you said this in a particular context, I believe it applies
generally here.  I'm going to try to produce a less wordy text.