[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: "LDAP exchange" (was: Misuse of the term "association" in[Protocol])
Ramsay, Ron writes:
> To: "Jim Sermersheim" <jimse@novell.com>, <h.b.furuseth@usit.uio.no>
>
> The current definition of 'association' refers to the authN and authZ
> state as it applies to the <whatever term you want which describes the
> exchange of LDAP PDUs>. If we use 'association' for that, then do we
> need a new term for the old association definition?
>
> <RR> "Association" actually refers to the association between the client
> and the server.
No, "association" in [Protocol] and [Authmeth] actually refers to what
these documents say it refers to. (Section 2 in [Protocol], section
1.2.1 in [Authmeth].) Except that they get their own usage wrong at
times. But changing it to mean what you say it means will certainly
confuse a lot of [Authmeth] readers.
> If you are going to change this then you will probably
> confuse a lot of people. I don't see any need for a "relationship"
> between authN and authZ - one is derived from the other, end of story.
I don't know where you get this "relationship" from - it's not in the
definition in the documents, nor in this thread.
> Layer 4 (currently LDAP exchange): This represents the application
> layer where LDAP PDUs are exchanged (sent and received) between protocol
> peers. Is this definition non-descriptive? Does it not make sense? Is it
> just the name that sucks? Maybe we should have called it 'LDAP PDU
> layer"
>
> <RR> As Kurt has said, we are not concerned here with the "layer" but
> with the "session".
Well, I prefer something with the "layer" meaning over something with
the "session" meaning, mainly since we already have a number of layers
defined, and I find this snippet (section 2) rather telling:
The term "LDAP exchange" refers to application layer where (...)
Most places where "LDAP exchange" is used, a session works fine (except
minor rewordings like "on" -> "in"). A few places, a layer works
better: "TLS-protected LDAP exchange" (4.14), "remove the TLS layer and
leave the LDAP exchange intact" (4.14.3.1). "A particular operation
sent on an association between a client and server" (4.5.3) may also
need a little wordsmithing for the "session" meaning.
Still, I'll take either variant over "LDAP exchange".
> Then there is (or at least there was) the thought that we need to
> provide a term which describes the association of the authN and authZ
> state as it relates to Layer 4. Kurt's suggestion is that we don't need
> to define (nor name) this. But that we instead update the doc in the
> places he described. I agree with most of the changes, but the change to
> Section 6 makes me feel like the term was useful, and we're rewording
> just so we can drop the use of the term.
>
> <RR> It seems to me that you don't need a term to associate these.
Authmeth needs to associate them (or at least the authz ID, see my
message 'authmeth: association -= authentication ID') to the LDAP
session/exchange/whatever.
> Also,
> I don't know what was objectionable about Section 6. Is this the
> offending paragraph?
>
> "Server implementors should plan for the possibility of an identity in
> and association being deleted, renamed, or modified, and take
> appropriate actions to prevent insecure side effects. Likewise,
> server implementors should plan for the possibility of an associated
> identity's credentials becoming invalid, or an identity's privileges
> being changed. The ways in which these issues are addressed are
> application and/or implementation specific."
>
> <RR> If it is, I note that "associated" is being used in a social or
> chatty way, and not in a standards-based way.
Yes, it is "association" and not "associated" which is defined as a
special LDAP term.
> If we decide to drop the term 'association' as Kurt suggested, do we
> want to re-adopt it as the term to describe Layer 4 (I think this is
> what Ron is asking for)?
No, because authmeth still uses it.
--
Hallvard