[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
protocol: strongAuthRequired
- To: ietf-ldapbis@OpenLDAP.org
- Subject: protocol: strongAuthRequired
- From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Date: Tue, 7 Dec 2004 18:25:51 +0100
- In-reply-to: <s1913828.045@sinclair.provo.novell.com>
- References: <s1913828.045@sinclair.provo.novell.com>
Two issues:
1.
I didn't reply to this for protocol-27; I thought some other message
(from me or Kurt?) had addressed it. Sorry about that.
Jim Sermersheim writes:
> Subject: Re: Result code for invalidated associations
>
>>>> Hallvard B Furuseth h.b.furuseth@usit.uio.no> 11/9/04 5:00:32 PM >>
>
>>> I also plan to update the current general description of
>>> strongAuthRequired to:
>>> The server requires the client to authenticate using a strong(er)
>>> mechanism.
>>
>>...in order to perform the current LDAP operation?
>
> I guess it depends on the operation. If it's on a Notice of
> Disconnetion, then no.
Notice of Disconnection is addressed in a separate text anyway, so it's
not relevant to the general description of strongAuthRequired.
> If it's on a BindResponse, then yes. Similar to
> this is confidentialityRequired. While Notice of Disconnection is free
> to send this, so are other operations. I suppose even loopDetect could
> be sent on a Notice of Disconnection.
>
> Do you think we need to add your suggested text? (if so, why?)
"The server requires the client to authenticate using a strong(er)
mechanism" indicates that the client cannot expect the following
requests to succeed unless it authenticates stronger. I believe that is
wrong: It can go on with other operations, it is only the particular
operation which this is a response to which will not succeed unless the
client authenticates stronger.
So, to copy from Kurt's message at the same time:
> I suggest:
> The server requires strong(er) authentication in order to
> perform the operation.
========
2.
Renaming the result code to strongerAuthRequired.
Kurt and I have talked about this. Is the suggestion dead? Or do we
take that later, if [authmeth] discussions indicate it? (I believe my
suggestion of 'authRequired' is no longer relevant, with the death of
invalidated associations.)
--
Hallvard