Roger Harrison wrote:
Alexey Melnikov wrote:
Excuse me for bringing the following issue so late. There is some text
<>about DIGEST-MD5 in draft-ietf-ldapbis-authmeth-15.txt that bothers me:
<>10. SASL DIGEST-MD5 Authentication Mechanism
Support for subsequent authentication ([DIGEST-MD5] section 2.2) is
OPTIONAL in clients and servers.The sentence seem to be trying to update definition of DIGEST-MD5 SASL
mechanism. This goes against "a protocol profile SHOULD NOT attempt to
amend the definition of mechanisms" statement in the SASL document. If there is an interoperability problem due to the lack of the quoted
sentence, then perhaps the DIGEST-MD5 document is a better place to address it.
The text in question from authmeth-15 dates back to RFC 2829, so I can
only speculate on the reason for including it. I imagine it was included
to provide the information without requiring the user to dig into the
DIGEST-MD5 document.
With careful reading, it appears that the DIGEST-MD5 document already
states that neither client nor server is required to support subsequent
authentication even when the protocol profile allows it, so this text
does not change the intent of DIGEST-MD5.
Right.
I think #2 is sensible: you need to make clear that this is not an additional requirement, but just an extract from the DIGEST-MD5 document.I can see some options:
1. Leave text as-is. Probably not satisfactory, particularly due to the OPTIONAL keyword being used in the sentence.
2. Modify text to remove keyword. Possible new text: "Note that DIGEST-MD5 does not require clients or servers to support subsequent authentication ([DIGEST-MD5] section 2.2)."
3. Remove the text altogether and let people deduce this fact by
reading [DIGEST-MD5].
I prefer #2 and would consider #3 if the text in [DIGEST-MD5] were made
more explicit regarding the optional nature of subsequent authentication
support.