[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: protocol: strongAuthRequired

To: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Subject: Re: protocol: strongAuthRequired
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Tue, 07 Dec 2004 09:46:39 -0800
Cc: ietf-ldapbis@OpenLDAP.org
In-reply-to: <hbf.20041207r7u3@bombur.uio.no>
References: <s1913828.045@sinclair.provo.novell.com> <hbf.20041207r7u3@bombur.uio.no>

At 09:25 AM 12/7/2004, Hallvard B Furuseth wrote:
>Two issues:
>
>1.
>
>I didn't reply to this for protocol-27; I thought some other message
>(from me or Kurt?) had addressed it.  Sorry about that.
>
>Jim Sermersheim writes:
>> Subject: Re: Result code for invalidated associations
>>
>>>>> Hallvard B Furuseth h.b.furuseth@usit.uio.no> 11/9/04 5:00:32 PM >>
>>
>>>> I also plan to update the current general description of
>>>> strongAuthRequired to:
>>>> The server requires the client to authenticate using a strong(er)
>>>> mechanism.
>>>
>>>...in order to perform the current LDAP operation?
>>
>> I guess it depends on the operation. If it's on a Notice of
>> Disconnetion, then no.
>
>Notice of Disconnection is addressed in a separate text anyway, so it's
>not relevant to the general description of strongAuthRequired.
>
>> If it's on a BindResponse, then yes. Similar to
>> this is confidentialityRequired. While Notice of Disconnection is free
>> to send this, so are other operations. I suppose even loopDetect could
>> be sent on a Notice of Disconnection.
>>
>> Do you think we need to add your suggested text? (if so, why?)
>
>"The server requires the client to authenticate using a strong(er)
>mechanism" indicates that the client cannot expect the following
>requests to succeed unless it authenticates stronger.  I believe that is
>wrong: It can go on with other operations, it is only the particular
>operation which this is a response to which will not succeed unless the
>client authenticates stronger.
>
>So, to copy from Kurt's message at the same time:
>> I suggest:
>>        The server requires strong(er) authentication in order to
>>        perform the operation.

I prefer this text as it clear that the scope of the
result code is limited to the operation.

>========
>
>2.
>
>Renaming the result code to strongerAuthRequired.
>
>Kurt and I have talked about this.  Is the suggestion dead?  Or do we
>take that later, if [authmeth] discussions indicate it?  (I believe my
>suggestion of 'authRequired' is no longer relevant, with the death of
>invalidated associations.)

I am fine with renaming this result code.

Kurt

Follow-Ups:
- Re: protocol: strongAuthRequired
  - From: Michael Ströder <michael@stroeder.com>

References:
- protocol: strongAuthRequired
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: protocol: strongAuthRequired
Next by Date: Continuation References vs. Referrals
Index(es):
- Chronological
- Thread