[Date Prev][Date Next] [Chronological] [Thread] [Top]

authmeth: encryption strength vs. access control

To: ietf-ldapbis@OpenLDAP.org
Subject: authmeth: encryption strength vs. access control
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Mon, 07 Mar 2005 12:52:29 +0100

I think something like this should be stated in authmeth (though I
don't expect if this exact wording is quite correct):

  If the server uses the connection's encryption strength as an access
  control factor, it should generally use the weakest strength of when
  the request was received and when the response is sent - or maybe the
  weakest strength _since_ the request was received.

  The encryption strengths involved, include: The strength used to
  transfer the authentication credentials which resulted in the current
  association, the strength protecting the request, the strength
  protecting the response, [others?].
  A combination of these strengths may be used for the access control
  factor.

It may be worse - if the server checked a client certificate at StartTLS
and the strength has been negotiated upwards since then, maybe the
weakest strength since TLS establishment is relevant.  I expect the same
can apply to SASL mechanisms that support renegotiation.

Inspired by an old message from Kurt which I can't find at the moment.

-- 
Hallvard

Follow-Ups:
- Re: authmeth: encryption strength vs. access control
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: [Models] An attribute value should be equal to self
Next by Date: entries below subentries/aliases
Index(es):
- Chronological
- Thread