[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Result code for invalidated associations

To: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Subject: Re: Result code for invalidated associations
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Fri, 29 Oct 2004 18:17:08 -0700
Cc: ietf-ldapbis@OpenLDAP.org
In-reply-to: <6.1.2.0.0.20041029113230.02fc7db8@127.0.0.1>
References: <HBF.20041029stwr@bombur.uio.no> <6.1.2.0.0.20041029113230.02fc7db8@127.0.0.1>

Responding as an individual,

At 12:34 PM 10/29/2004, Kurt D. Zeilenga wrote:
>In regards to renaming the strongAuthRequired to be
>the strongerAuthRequired (or something else), it seems
>that there is some support for renaming.  However, further
>discussion is needed to determine if consensus supports
>such.

As I believe that changing the name of this result code to
strongerAuthRequired likely reduce confusion over the
semantics of the code, I support making this change.

>In regards to return of invalidCredentials, it seems
>you are interpreting [Protocol] as precluding the use
>of the result code to indicate that previously
>provided credentials are invalid.  It seems that
>[Protocol] could also be interpreted as not precluding
>this use.  The WG should discuss further whether return
>of invalidCredentials may or may not used to indicate
>previously provided credentials are invalid and what
>clarifications, if any, should be made to [Protocol]
>in this area.

It's my view that result codes are only indicative of
why the server was unwilling or unable to successfully
complete the requested operation.  The result codes
are not indicative of the outcome of subsequently
requested operations.  I believe the term "provided"
clarifies that the referred to credentials are carried
by or established through the request.  Even without the
word "provided", the referred to credentials are the
ones carried by or established through the request.

It would be inappropriate to redefine the result to
refer to credentials not carried by or established though
the request.  This is because there may be control
extensions which carry credentials that call for this code
to be returned if those credentials are invalid.

One could return Notice of Disconnect with either an
strong[er]AuthRequired or invalidCredentials to indicate
the credentials are no longer considered valid.  The
question I guess is whether the implied distinction between
the two codes (expected or unexpected) is useful. I
guess I would argue yes it is.

But, the next question would be whether folks want to return
Notice of Disconnect in expected credential invalidation.
However, providing a Notice of Credential Invalidation (or
whatever you want to call it) seems something better left
to extensions.

The short of it is, I believe that the description for
credentials is fine as is.  I do not support making changes
should be made in this area.

>Kurt
>
>
>
>
>At 08:40 AM 10/29/2004, Hallvard B Furuseth wrote:
>>The subthread of 'authmeth-12 review notes' about invalidated
>>associations, with this message of 28 Sep 2004 23:56:43 as its 'tail':
>>  http://www.openldap.org/lists/ietf-ldapbis/200409/msg00061.html
>>suggests some changes that involve [protocol].
>>
>>1. Due to invalidated associations, a better name for strongAuthRequired
>>   would be strongerAuthRequired - or even authRequired or bindRequired
>>   (I added the latter since anonymous bind is not exactly authentication.)
>>
>>2. If we instead use invalidCredentials to indicate invalidated
>>   associations as I suggested, that must be reflected in [Protocol].
>>
>>-- 
>>Hallvard

Follow-Ups:
- Re: Result code for invalidated associations
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

References:
- Result code for invalidated associations
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: Result code for invalidated associations
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: clarifications (Was: protocol-27 comments#2)
Next by Date: Re: Result code for invalidated associations
Index(es):
- Chronological
- Thread