[Date Prev][Date Next]
RE: "LDAP exchange" (was: Misuse of the term "association" in [Protocol])
At 06:59 PM 10/4/2004, Jim Sermersheim wrote:
>The current definition of 'association' refers to the authN and authZ
>state as it applies to the <whatever term you want which describes the
>exchange of LDAP PDUs>. If we use 'association' for that, then do we
>need a new term for the old association definition?
>Maybe we need to agree on the things that need defining, then define
>them, then name them.
Well first, are we merely defining terms which refer
to protocol layers or defining terms which refer to
service at that layer. If it was for the former, we'd
be using 'transport layer' not 'connection'. I think
its clear from the usage, that the terms refer both
the layer and service at that layer. I'd argue more
of the latter than the former.
>Then there is (or at least there was) the thought that we need to
>provide a term which describes the association of the authN and authZ
>state as it relates to Layer 4.
>Kurt's suggestion is that we don't need to define (nor name) this.
My suggestion is primarily aimed at leaving the discussion
of authentication, authorization, and security associations
(regardless of layers involved) to [AuthMeth].
>But that we instead update the doc in the
>places he described. I agree with most of the changes, but the change to
>Section 6 makes me feel like the term was useful, and we're rewording
>just so we can drop the use of the term.
I generalized the security consideration so that it accounted
for other factors, e.g., factors which are not tied to the
'association' (whatever that means).
>If we decide to drop the term 'association' as Kurt suggested, do we
>want to re-adopt it as the term to describe Layer 4 (I think this is
>what Ron is asking for)?
First, I don't think Ron is necessarily asking for that.
He seems to be saying 'LDAP association' have a lifespan
not longer than the next Bind operation. However, service
at the layer where LDAP PDUs are exchanged continues until
the connection closure.
Second, that would likely only create a need for a new term
in [authmeth] to refer to service at any and all layers,
and associated authentication, authorization, security,
and other factors.
>>>> "Ramsay, Ron" <Ron.Ramsay@ca.com> 10/4/04 7:07:31 PM >>>
>I had a look in *protocol*26.txt for a definition of "LDAP exchange"
>and got nothing! Here are some quotes:
>"The term "connection" refers to the underlying transport service used
> to carry the protocol exchange."
>- This is the first use of "exchange" (apart from the TOC) and is
>clearly not a definition.
>"The term "LDAP exchange" refers to application layer where LDAP PDUs
> are exchanged between protocol peers."
>- I wouldn't call this a definition either. a) How can an "exchange" be
>a layer? b) It "refers" to an application layer, but what is it?
>"The term "SASL layer" refers to a layer inserted between the
> connection and the LDAP exchange that utilizes Simple Authentication
> and Security Layer ([SASL]) to protect the exchange of LDAP PDUs."
>- This use of exchange is more normal - peers simply exchanging PDUs,
>no semantics implied.
>So much for "exchange".
>Now, tell me, what is your objection to "association". Or, to be more
>specific, what sentence or paragraph in protocol-26 do you think
>requires a term like (ugh) "exchange"?
>PS Some comments inline
>From: Hallvard B Furuseth [mailto:firstname.lastname@example.org]
>Sent: Monday, 4 October 2004 22:57
>To: Ramsay, Ron
>Subject: "LDAP exchange" (was: Misuse of the term "association" in
>Ramsay, Ron writes:
>> I note that you are not listening to me, and I guess that it OK. But
>> this problem will not go away until you drop this strange "LDAP
>> exchange" thing. It DOES NOT, at least in English, mean the ongoing
>> exchange of protocol data.
>Nor is it defined that way in [Protocol]. Did you see my message
><RR> Yes. I don't think the word "exchange" can be used in this
>context. "Stream" is certainly better.
>> The only chance for sanity here is to keep "association" and drop
>That would be wrong, since "association" is defined as something
>different. We could rename the term "LDAP exchange" to something else
>(which would get the current definition of "LDAP exchange") after
>Kurt's changes. If you wish to suggest a better term, read this
><RR> This seems to be talking about "connections"?
>Personally I prefer several other terms over "LDAP exchange", but I
>don't feel strongly about it.