protocol: strongAuthRequired

[Hallvard B Furuseth <h.b.furuseth@usit.uio.no>]

Two issues:

1.

I didn't reply to this for protocol-27; I thought some other message
(from me or Kurt?) had addressed it.  Sorry about that.

Jim Sermersheim writes:
> Subject: Re: Result code for invalidated associations
>
>>>> Hallvard B Furuseth h.b.furuseth@usit.uio.no> 11/9/04 5:00:32 PM >>
>
>>> I also plan to update the current general description of
>>> strongAuthRequired to:
>>> The server requires the client to authenticate using a strong(er)
>>> mechanism.
>>
>>...in order to perform the current LDAP operation?
>
> I guess it depends on the operation. If it's on a Notice of
> Disconnetion, then no.

Notice of Disconnection is addressed in a separate text anyway, so it's
not relevant to the general description of strongAuthRequired.

> If it's on a BindResponse, then yes. Similar to
> this is confidentialityRequired. While Notice of Disconnection is free
> to send this, so are other operations. I suppose even loopDetect could
> be sent on a Notice of Disconnection.
>
> Do you think we need to add your suggested text? (if so, why?)

"The server requires the client to authenticate using a strong(er)
mechanism" indicates that the client cannot expect the following
requests to succeed unless it authenticates stronger.  I believe that is
wrong: It can go on with other operations, it is only the particular
operation which this is a response to which will not succeed unless the
client authenticates stronger.

So, to copy from Kurt's message at the same time:
> I suggest:
>        The server requires strong(er) authentication in order to
>        perform the operation.

========

2.

Renaming the result code to strongerAuthRequired.

Kurt and I have talked about this.  Is the suggestion dead?  Or do we
take that later, if [authmeth] discussions indicate it?  (I believe my
suggestion of 'authRequired' is no longer relevant, with the death of
invalidated associations.)

-- 
Hallvard