[Date Prev][Date Next] [Chronological] [Thread] [Top]

authmeth: Access controls vs. confidentialityRequired

To: ietf-ldapbis@OpenLDAP.org
Subject: authmeth: Access controls vs. confidentialityRequired
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Mon, 27 Sep 2004 17:34:21 +0200

[Authmeth] says:

> 3.1.1. StartTLS Request 

>    If the client did not establish a TLS connection before sending a
>    request and the server requires the client to establish a TLS
>    connection before performing that request, the server MUST reject
>    that request by sending a resultCode of confidentialityRequired.

If the security strength is used as an access control factor, the result
will be insufficientAccessRights.  The server could (SHOULD?) continue
to check if the operation would otherwise be allowed and if so return
confidentialityRequired, but I wonder if that can get too hairy to
implement in all cases and we should do s/MUST/SHOULD/ above.  In either
case, I think this should be mentioned.

Maybe this should also be mentioned under B.2 (Access Control Factors);
for the "encryption strength" factor.

-- 
Hallvard

Follow-Ups:
- Re: authmeth: Access controls vs. confidentialityRequired
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: 'unauthenticated' binds
Next by Date: authmeth: SASL/PLAIN
Index(es):
- Chronological
- Thread