Fwd: I-D ACTION:draft-ietf-ldapbis-authmeth-14.txt

This revision has attempted to address all outstanding comments made regarding prior revisions. I have tried to reflect WG consensus though all changes, however, several issues have had little or no discussion. In the absence of dissenting opinions, I have accepted most of these suggestions under the assumption that they reflect consensus opinion.

I will attempt to respond to any feedback on receive on this revision Thursday or Friday in time to publish another revision prior to the IETF 62 meeting.

In addition to many smaller editorial changes, the larger changes in this revision include:

General

- Moved to standardized LDAP TS terms: transport connection, TLS layer, SASL layer, and LDAP message layer. Reworked usage of terminology throughout document to conform to latest usage.

- Changed language on resultCode values to be less prescriptive and more descriptive.

Section 2
- Updated implementation requirements for protecting LDAP simple bind mechanism to conform to WG consensus.

Section 3.1.1
- Moved last paragraph to security considerations and made generalized discussion of use of confidentialityRequired resultCode general for all data confidentiality services not just TLS.

Section 3.1.4
- Rewrote last paragraph to clarify that SASL EXTERNAL is a client action when server uses certificate information to derive authorization ID.

Section 3.2
- Collapsed three subsections into a single subsection. Removed text that implied that the TLS credentials were the only lower layer credentials that are used by SASL EXTERNAL in determining authentication ID and authorization ID.

Section 8
- Removed most of last paragraph that was redundant with implementation requirements in section 2.

Section 11
- Generalized discussion of SASL authorization identities and moved to new section 9.7. Clarified language around implicit and explicit assertion of authorization identities.

Appendix A
- Further collapsed identical states and actions continuing work in previous revisions.

>>> <Internet-Drafts@ietf.org> 02/15/05 8:33 AM >>>
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the LDAP (v3) Revision Working Group of the IETF.

Title: LDAP: Authentication Methods and Connection Level Security Mechanism
Author(s): R. Harrison
Filename: draft-ietf-ldapbis-authmeth-14.txt
Pages: 45
Date: 2005-2-14

This document describes authentication methods and connection level
security mechanisms of the Lightweight Directory Access Protocol
(LDAP).

This document details establishment of TLS (Transport Layer
Security) using the StartTLS operation.

This document details the simple Bind authentication method
including anonymous, unauthenticated, and plain-text password
mechanisms and the SASL (Simple Authentication and Security Layer)
Bind authentication method including DIGEST-MD5 and EXTERNAL
mechanisms.

This document discusses various authentication and authorization
states through which a connection to an LDAP server may pass and the
actions that trigger these state changes.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-ldapbis-authmeth-14.txt

To remove yourself from the I-D Announcement list, send a message to
i-d-announce-request@ietf.org with the word unsubscribe in the body of the message.
You can also visit https://www1.ietf.org/mailman/listinfo/I-D-announce
to change your subscription settings.

Internet-Drafts are also available by anonymous FTP. Login with the username
"anonymous" and a password of your e-mail address. After logging in,
type "cd internet-drafts" and then
"get draft-ietf-ldapbis-authmeth-14.txt".

A list of Internet-Drafts directories can be found in
http://www.ietf.org/shadow.html
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt

Internet-Drafts can also be obtained by e-mail.

Send a message to:
mailserv@ietf.org .
In the body type:
"FILE /internet-drafts/draft-ietf-ldapbis-authmeth-14.txt".

NOTE:The mail server at ietf.org can return the document in
MIME-encoded form by using the "mpack" utility. To use this
feature, insert the command "ENCODING mime" before the "FILE"
command. To decode the response(s), you will need "munpack" or
a MIME-compliant mail reader. Different MIME-compliant mail readers
exhibit different behavior, especially when dealing with
"multipart" MIME messages (i.e. documents which have been split
up into multiple messages), so check your local documentation on
how to manipulate these messages.

Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.