This revision has attempted to address all outstanding comments made regarding prior revisions. I have tried to reflect WG consensus though all changes, however, several issues have had little or no discussion. In the absence of dissenting opinions, I have accepted most of these suggestions under the assumption that they reflect consensus opinion.
I will attempt to respond to any feedback on receive on this revision Thursday or Friday in time to publish another revision prior to the IETF 62 meeting.
In addition to many smaller editorial changes, the larger changes in this revision include:
General
- Moved to standardized LDAP TS terms: transport connection, TLS layer, SASL layer, and LDAP message layer. Reworked usage of terminology throughout document to conform to latest usage.
- Changed language on resultCode values to be less prescriptive and more descriptive.
Section 2
- Updated implementation requirements for protecting LDAP simple bind mechanism to conform to WG consensus. Section 3.1.1
- Moved last paragraph to security considerations and made generalized discussion of use of confidentialityRequired resultCode general for all data confidentiality services not just TLS. Section 3.1.4
- Rewrote last paragraph to clarify that SASL EXTERNAL is a client action when server uses certificate information to derive authorization ID. Section 3.2
- Collapsed three subsections into a single subsection. Removed text that implied that the TLS credentials were the only lower layer credentials that are used by SASL EXTERNAL in determining authentication ID and authorization ID. Section 8
- Removed most of last paragraph that was redundant with implementation requirements in section 2. Section 11
- Generalized discussion of SASL authorization identities and moved to new section 9.7. Clarified language around implicit and explicit assertion of authorization identities. Appendix A
- Further collapsed identical states and actions continuing work in previous revisions. >>> <Internet-Drafts@ietf.org> 02/15/05 8:33 AM >>> A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the LDAP (v3) Revision Working Group of the IETF. Title: LDAP: Authentication Methods and Connection Level Security Mechanism Author(s): R. Harrison Filename: draft-ietf-ldapbis-authmeth-14.txt Pages: 45 Date: 2005-2-14 This document describes authentication methods and connection level security mechanisms of the Lightweight Directory Access Protocol (LDAP). This document details establishment of TLS (Transport Layer Security) using the StartTLS operation. This document details the simple Bind authentication method including anonymous, unauthenticated, and plain-text password mechanisms and the SASL (Simple Authentication and Security Layer) Bind authentication method including DIGEST-MD5 and EXTERNAL mechanisms. This document discusses various authentication and authorization states through which a connection to an LDAP server may pass and the actions that trigger these state changes. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-ldapbis-authmeth-14.txt To remove yourself from the I-D Announcement list, send a message to i-d-announce-request@ietf.org with the word unsubscribe in the body of the message. You can also visit https://www1.ietf.org/mailman/listinfo/I-D-announce to change your subscription settings. Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-ldapbis-authmeth-14.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org . In the body type: "FILE /internet-drafts/draft-ietf-ldapbis-authmeth-14.txt". NOTE:The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. |
Attachment:
Part.001
Description: Binary data
Content-Type: text/plain Content-ID: <2005-2-15103806.I-D@ietf.org>