Re: Result code for invalidated associations

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

As chair, I note my desire to try to divorce [AuthMeth]
and [Protocol] issues as much as possible in hopes that
will allow the WG to complete both in a timely fashion.
At this time, I would like to focus on issues pertaining
to [Protocol].  As [Protocol] doesn't use the term "LDAP
association", I rather we avoid it in this discussion.
Instead, I rather we talk in terms of credentials, cipher
keys, and their invalidation.

In regards to renaming the strongAuthRequired to be
the strongerAuthRequired (or something else), it seems
that there is some support for renaming.  However, further
discussion is needed to determine if consensus supports
such.

In regards to return of invalidCredentials, it seems
you are interpreting [Protocol] as precluding the use
of the result code to indicate that previously
provided credentials are invalid.  It seems that
[Protocol] could also be interpreted as not precluding
this use.  The WG should discuss further whether return
of invalidCredentials may or may not used to indicate
previously provided credentials are invalid and what
clarifications, if any, should be made to [Protocol]
in this area.

Kurt




At 08:40 AM 10/29/2004, Hallvard B Furuseth wrote:
>The subthread of 'authmeth-12 review notes' about invalidated
>associations, with this message of 28 Sep 2004 23:56:43 as its 'tail':
>  http://www.openldap.org/lists/ietf-ldapbis/200409/msg00061.html
>suggests some changes that involve [protocol].
>
>1. Due to invalidated associations, a better name for strongAuthRequired
>   would be strongerAuthRequired - or even authRequired or bindRequired
>   (I added the latter since anonymous bind is not exactly authentication.)
>
>2. If we instead use invalidCredentials to indicate invalidated
>   associations as I suggested, that must be reflected in [Protocol].
>
>-- 
>Hallvard