[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: "LDAP exchange" (was: Misuse of the term "association" in [Protocol])

To: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Subject: RE: "LDAP exchange" (was: Misuse of the term "association" in [Protocol])
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Tue, 05 Oct 2004 09:42:26 -0700
Cc: Jim Sermersheim <jimse@novell.com>, Ron.Ramsay@ca.com, ietf-ldapbis@OpenLDAP.org
In-reply-to: <HBF.20041005ltar@bombur.uio.no>
References: <s161aba3.038@sinclair.provo.novell.com> <HBF.20041005ltar@bombur.uio.no>

At 09:08 AM 10/5/2004, Hallvard B Furuseth wrote:
>Jim Sermersheim writes:
>> Then there is (or at least there was) the thought that we need to
>> provide a term which describes the association of the authN and authZ
>> state as it relates to Layer 4. Kurt's suggestion is that we don't need
>> to define (nor name) this. But that we instead update the doc in the
>> places he described. I agree with most of the changes, but the change to
>> Section 6 makes me feel like the term was useful, and we're rewording
>> just so we can drop the use of the term.
>
>My vote is to drop "association".  It doesn't seem very useful to define
>a term which is only needed once, and apparently this is the only place
>in [Protocol] which does need it.

One of my concerns is that, in reviewing [authmeth], we may
find that definition and use of "association" is poor.  (For
instance, we may find the use of "association' is inconsistent
with RFC 2828,2829,2830 and decide not to stick with the
current [authmeth] definition and usage.)   If so, I want to
be able to update [authmeth] without having to go back and
muck with [Protocol].

>I do like the current wording better
>than Kurt's, but I also dislike to require readers to remember more
>definitions than necessary.

Here's a slightly reworded Section 6 offering.  Note that
I am trying to accomplish two things with this rewording.
1) avoid the term "association" in [protocol]
2) generalize the security consideration.

  Server implementors should plan for the possibility of that
  information (e.g., credentials) used to establish security
  factors (e.g., authorization identities) and/or policies
  (e.g., access controls) may change (due to protocol or
  external events) during the course of the LDAP exchange,
  and even during the performance of a particular operation,
  and should take steps to avoid insecure side effects of
  these changes.  The ways in which these issues are addressed
  are application and/or implementation specific.

References:
- RE: "LDAP exchange" (was: Misuse of the term "association" in [Protocol])
  - From: "Jim Sermersheim" <jimse@novell.com>
- RE: "LDAP exchange" (was: Misuse of the term "association" in [Protocol])
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: Re: Misuse of the term "association" in [Protocol]
Next by Date: Re: Misuse of the term "association" in [Protocol]
Index(es):
- Chronological
- Thread