|
Authmeth-15 addresses all known outstanding issues raised for earlier versions of the document. A summary of changes made in this draft follows below. Please review this draft and raise issues in the next several days.
Thanks,
Roger
General:
- Resolved all known outstanding issues and comments for -14 draft.
- Replaced all usage of "LDAP assocation" with appropriate terminology based on LDAP technical spec.
- Edits for clarity and consistency.
- Removed Section 3.1.3 of -14 draft on TLS version negotiation. (This is part of the TLS spec.)
- Removed Section 3.3.1 of -14 draft on TLS ciphersuite recommendations.
- Removed Appendix A - Association State Transition Tables
Section 1
- Updated some security terminology to be consistent with RFC 2828.
Section 3.1.2
- Removed TLS operation details that are now covered in [Protocol].
Section 3.1.5
- Substantial edits to Server Identity Check. Most significant is the requirement that the check MUST be performed against a dNSName value if one is present in the subjectAltName of the server cert. Also added support for internationalized domain names.
Section 4.3
- Reworked entire section to clarify its intent. No changes to requirements.
Section 7
- Added clarification on usage of DN in unauthenticated mechanism.
Section 9.2
- Clarified cases where Base64 transforms are not needed for SASL challenges and responses. Also clarified use of the serverSaslCreds field in the BindResponse.
Section 9.7
- Simplified SASL authorization identity grammar.
Section 12.1
- Reworked several security considerations based on WG input.
>>> <Internet-Drafts@ietf.org> 08/17/05 1:50 pm >>>
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the LDAP (v3) Revision Working Group of the IETF.
Title: LDAP: Authentication Methods and Connection Level Security Mechanisms
Author(s): R. Harrison
Filename: draft-ietf-ldapbis-authmeth-15.txt
Pages: 45
Date: 2005-8-17
This document describes authentication methods and connection level
security mechanisms of the Lightweight Directory Access Protocol
(LDAP).
This document details establishment of TLS (Transport Layer
Security) using the StartTLS operation.
This document details the simple Bind authentication method
including anonymous, unauthenticated, and plain-text password
mechanisms and the SASL (Simple Authentication and Security Layer)
Bind authentication method including DIGEST-MD5 and EXTERNAL
mechanisms.
This document discusses various authentication and authorization
states through which a connection to an LDAP server may pass and the
actions that trigger these state changes.
A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-ldapbis-authmeth-15.txt
To remove yourself from the I-D Announcement list, send a message to
i-d-announce-request@ietf.org with the word unsubscribe in the body of the message.
You can also visit https://www1.ietf.org/mailman/listinfo/I-D-announce
to change your subscription settings.
Internet-Drafts are also available by anonymous FTP. Login with the username
"anonymous" and a password of your e-mail address. After logging in,
type "cd internet-drafts" and then
"get draft-ietf-ldapbis-authmeth-15.txt".
A list of Internet-Drafts directories can be found in
http://www.ietf.org/shadow.html
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
Internet-Drafts can also be obtained by e-mail.
Send a message to:
mailserv@ietf.org.
In the body type:
"FILE /internet-drafts/draft-ietf-ldapbis-authmeth-15.txt".
NOTE:The mail server at ietf.org can return the document in
MIME-encoded form by using the "mpack" utility. To use this
feature, insert the command "ENCODING mime" before the "FILE"
command. To decode the response(s), you will need "munpack" or
a MIME-compliant mail reader. Different MIME-compliant mail readers
exhibit different behavior, especially when dealing with
"multipart" MIME messages (i.e. documents which have been split
up into multiple messages), so check your local documentation on
how to manipulate these messages.
Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.
|