[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Applicability (Was: authmeth review notes [long])

To: Roger Harrison <RHARRISON@novell.com>
Subject: Re: Applicability (Was: authmeth review notes [long])
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Fri, 11 Jun 2004 11:06:00 +0200
Cc: Kurt@OpenLDAP.org, ietf-ldapbis@OpenLDAP.org
In-reply-to: <s0c87f86.083@sinclair.provo.novell.com>
References: <s0c87f86.083@sinclair.provo.novell.com>

Roger Harrison writes:
> I've reviewed your fairly lengthy debate on this subject and have made
> the following adjustments to the next draft of authmeth:
>
> 1. I have decided to explicitly call out mechanism names. Although they
> are a bit long, the names I've decided on (for consistency with the
> protocol definition) are: Anonymous Authentication Mechanism of the
> Simple Bind Choice, Unauthenticated Authentication Mechanism of the
> Simple Bind Choice, and Simple Authentication Mechanism of the Simple
> Bind Choice.  Each has its own section with parallel language regarding
> the way the mechanism is used.

Whoops, I'd forgotten that debate.  Decided to sleep on some attempted
improvements which I wasn't satisfied with, and 'slept' too long.

I'm undecided about whether expanding the Bind terms is better than
defining shorter terms.  Fewer definitions to keep track of make it
easier to read the standard, but OTOH the above terms are too long for
everyday use, so people are going to abbreviate them anyway.  With
expanded names as above, preferably the mechanism names should at least
lend themselves to abbreviations that remain reasonably unambiguous.  If
I could just come up with an alternative for 'anonymous' bind which
can't be misunderstood to include 'unauthenticated':-( 'Unnamed' or
'nameless' are my best so far, but sound a bit strange to me.

Could the above terms at least be shortened a little, like
'xxx Authentication Mechanism of the Simple Bind Choice'
-> 'xxx mechanism of Simple Bind'?

Anyway: I dislike the 'anonymous' vs. 'unauthenticated' terminology,
with or without the above verbosity.  The two words keep getting
confused.  With good reason:

The 'unauthenticated' mechanism, spelled out or not, produces an
'anonymous' association.  OTOH, an LDAP 'anonymous' (neither DN nor
password) bind or 'anonymous' association can in non-LDAP terms be said
to be 'unauthenticated'.

Indeed, when I googled for 'unauthenticated bind', I found just as many
texts which meant one of the variants of 'anonymous'.  And a lot of
texts where I couldn't tell if they got it right or not.
And of course, some 'anonymous' binds out there mean both variants,
while others mean neither DN nor password.

It would be preferable if the binds that produce 'anonymous'
associations were the same binds that are called something with
'anonymous'.  However, that fits neither 'unauthenticated' simple binds
nor the SASL/ANONYMOUS mechanism.  So I think 'anonymous associations'
should be renamed, but I can't come up with a suggestion.  Still, it's a
new term, and thus should be easier to kill off than the established
Bind terms.

'Unauthenticated' binds could be renamed to e.g. 'informative' or
'informational' simple bind (possible expanded as Roger does above),
with a note that it was previously called 'unauthenticated' and this
caused confusion.

-- 
Hallvard

References:
- Re: Applicability (Was: authmeth review notes [long])
  - From: "Roger Harrison" <RHARRISON@novell.com>

Prev by Date: userPassword
Next by Date: Re: protocol: "outstanding" operations
Index(es):
- Chronological
- Thread