[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: "LDAP exchange" (was: Misuse of the term "association" in[Protocol])

To: "Jim Sermersheim" <jimse@novell.com>, <h.b.furuseth@usit.uio.no>
Subject: RE: "LDAP exchange" (was: Misuse of the term "association" in[Protocol])
From: "Ramsay, Ron" <Ron.Ramsay@ca.com>
Date: Tue, 5 Oct 2004 15:29:21 +1000
Cc: <ietf-ldapbis@OpenLDAP.org>
Content-class: urn:content-classes:message
Thread-index: AcSqf80088c5sfn4SOSQfTvsNmJBNAAGGu2w
Thread-topic: "LDAP exchange" (was: Misuse of the term "association" in[Protocol])

My comments inline

-----Original Message-----
From: owner-ietf-ldapbis@OpenLDAP.org
[mailto:owner-ietf-ldapbis@OpenLDAP.org]On Behalf Of Jim Sermersheim
Sent: Tuesday, 5 October 2004 11:59
To: Ramsay, Ron; h.b.furuseth@usit.uio.no
Cc: ietf-ldapbis@OpenLDAP.org
Subject: RE: "LDAP exchange" (was: Misuse of the term "association"
in[Protocol])

The current definition of 'association' refers to the authN and authZ
state as it applies to the <whatever term you want which describes the
exchange of LDAP PDUs>. If we use 'association' for that, then do we
need a new term for the old association definition?

<RR> "Association" actually refers to the association between the client and the server. If you are going to change this then you will probably confuse a lot of people. I don't see any need for a "relationship" between authN and authZ - one is derived from the other, end of story.

Maybe we need to agree on the things that need defining, then define
them, then name them. Can we start with the image from Section 5? It
shows 4 layers, from bottom to top:

Layer 1 (currently connection): This is the transport layer which
carries all data between protocol peers. For example: TCP.

Layer 2 (currently TLS layer): I think the current definition is not
contentious

Layer 3 (currently SASL layer):  I think the current definition is not
contentious

Layer 4 (currently LDAP exchange): This represents the application
layer where LDAP PDUs are exchanged (sent and received) between protocol
peers. Is this definition non-descriptive? Does it not make sense? Is it
just the name that sucks? Maybe we should have called it 'LDAP PDU
layer"

<RR> As Kurt has said, we are not concerned here with the "layer" but with the "session". I find the term "exchange" non-descriptive, non-intuitive, non-semantic.

Then there is (or at least there was) the thought that we need to
provide a term which describes the association of the authN and authZ
state as it relates to Layer 4. Kurt's suggestion is that we don't need
to define (nor name) this. But that we instead update the doc in the
places he described. I agree with most of the changes, but the change to
Section 6 makes me feel like the term was useful, and we're rewording
just so we can drop the use of the term.

<RR> It seems to me that you don't need a term to associate these. Also, I don't know what was objectionable about Section 6. Is this the offending paragraph?

"Server implementors should plan for the possibility of an identity in 
   and association being deleted, renamed, or modified, and take 
   appropriate actions to prevent insecure side effects. Likewise, 
   server implementors should plan for the possibility of an associated 
   identity's credentials becoming invalid, or an identity's privileges 
   being changed. The ways in which these issues are addressed are 
   application and/or implementation specific."

<RR> If it is, I note that "associated" is being used in a social or chatty way, and not in a standards-based way. I doesn't seem to relate to the protocol. But it can be reworded not to use the term. For example, "Server implementors should expect that the credentials used to establish the association may become invalid, or that the privileges bound to the identity at bind-time may change, as time goes on."

If we decide to drop the term 'association' as Kurt suggested, do we
want to re-adopt it as the term to describe Layer 4 (I think this is
what Ron is asking for)?

<RR> I think that would be best. Then you can hang the discussion of messageIDs and update responses, for example, on a properly defined "association".

Jim

>>> "Ramsay, Ron" <Ron.Ramsay@ca.com> 10/4/04 7:07:31 PM >>>
Hi Hallvard,

I had a look in *protocol*26.txt for a definition of "LDAP exchange"
and got nothing! Here are some quotes:

"The term "connection" refers to the underlying transport service used

   to carry the protocol exchange."

- This is the first use of "exchange" (apart from the TOC) and is
clearly not a definition.

"The term "LDAP exchange" refers to application layer where LDAP PDUs 
   are exchanged between protocol peers."

- I wouldn't call this a definition either. a) How can an "exchange" be
a layer? b) It "refers" to an application layer, but what is it?

"The term "SASL layer" refers to a layer inserted between the 
   connection and the LDAP exchange that utilizes Simple Authentication

   and Security Layer ([SASL]) to protect the exchange of LDAP PDUs."

- This use of exchange is more normal - peers simply exchanging PDUs,
no semantics implied.

So much for "exchange".

Now, tell me, what is your objection to "association". Or, to be more
specific, what sentence or paragraph in protocol-26 do you think
requires a term like (ugh) "exchange"?

Ron

PS Some comments inline

-----Original Message-----
From: Hallvard B Furuseth [mailto:h.b.furuseth@usit.uio.no] 
Sent: Monday, 4 October 2004 22:57
To: Ramsay, Ron
Cc: ietf-ldapbis@OpenLDAP.org 
Subject: "LDAP exchange" (was: Misuse of the term "association" in
[Protocol])

Ramsay, Ron writes:
> I note that you are not listening to me, and I guess that it OK. But
> this problem will not go away until you drop this strange "LDAP
> exchange" thing. It DOES NOT, at least in English, mean the ongoing
> exchange of protocol data.

Nor is it defined that way in [Protocol].  Did you see my message
  http://www.openldap.org/lists/ietf-ldapbis/200410/msg00002.html 
?

<RR> Yes. I don't think the word "exchange" can be used in this
context. "Stream" is certainly better.

> The only chance for sanity here is to keep "association" and drop
> "exchange".

That would be wrong, since "association" is defined as something
different.  We could rename the term "LDAP exchange" to something else
(which would get the current definition of "LDAP exchange") after
making
Kurt's changes.  If you wish to suggest a better term, read this
thread
first:

  http://www.openldap.org/lists/ietf-ldapbis/200404/msg00023.html 

<RR> This seems to be talking about "connections"?

Personally I prefer several other terms over "LDAP exchange", but I
don't feel strongly about it.

-- 
Hallvard

Follow-Ups:
- RE: "LDAP exchange" (was: Misuse of the term "association" in[Protocol])
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: RE: Unbind (Was: Lifetime of associations)
Next by Date: Re: Misuse of the term "association" in [Protocol]
Index(es):
- Chronological
- Thread