[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Extension: WG Last Call: draft-ietf-ldapbis-authmeth-15.txt

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: Extension: WG Last Call: draft-ietf-ldapbis-authmeth-15.txt
From: Howard Chu <hyc@highlandsun.com>
Date: Thu, 22 Sep 2005 13:39:44 -0700
Cc: ietf-ldapbis@OpenLDAP.org
In-reply-to: <6.2.1.2.0.20050922121846.02ac5af0@mail.openldap.org>
References: <6.2.1.2.0.20050906130652.02b51008@mail.openldap.org> <6.2.1.2.0.20050919102514.034be718@mail.openldap.org> <6.2.1.2.0.20050922121846.02ac5af0@mail.openldap.org>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20050921 SeaMonkey/1.1a

Section 3.1.4 Discovery of Resultant Security Level This refers to 3.2.3 which does not exist. I can't tell what it was intended to reference.

Also there are many references to [Protocol] section 4.13.x.x which probably should now be 4.14.xx.

Section 3.1.5 Server Identity Check This section talks about how a client must verify a server's name against the identity presented in the server's certificate. This clause - The "*" wildcard character is allowed in the server name provided by the user. If present, it matches only the left-most label from the subjectAltName. makes no sense to me. That implies that I can issue an ldap request to e.g. ldap://*.example.com, which at a glance means to perform a DNS zone transfer against example.com and then issue an LDAP query against every DNS host record that's returned. I don't see how it makes any sense for a user to provide wildcarded server names to a client. In RFC2830 it was clear that wildcard characters could be present in the certificate, and that usage makes sense. Why is the use of wildcards reversed here? This invalidates many already-deployed RFC2830-conforming server certificates, if nothing else.

Section 3.3
2nd bullet
	"confidentially" should be "confidentiality"

Kurt D. Zeilenga wrote:

The WGLC will now close on Tuesday, 27 September 2005.
It is hoped that this extension will allow for additional
review and comment.  If you haven't commented already,
please take some time in the next few days to do so.
Thanks, Kurt
At 10:27 AM 9/19/2005, Kurt D. Zeilenga wrote:
Please note this WGLC closes this Thursday!  Please review
and comment (and if you have no comments, drop a note to
chairs so).
-- Kurt
At 01:10 PM 9/6/2005, Kurt D. Zeilenga wrote:
This message initiates a LDAPBIS Working Group Last Call on the
document:
Title: LDAP: Authentication Methods and Connection Level Security Mechanisms Editor: R. Harrison Filename: draft-ietf-ldapbis-authmeth-15.txt

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/

Follow-Ups:
- Re: Extension: WG Last Call: draft-ietf-ldapbis-authmeth-15.txt
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: Extension: WG Last Call: draft-ietf-ldapbis-authmeth-15.txt
  - From: "Roger Harrison" <RHARRISON@novell.com>

References:
- WG Last Call: draft-ietf-ldapbis-authmeth-15.txt
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Reminder: WG Last Call: draft-ietf-ldapbis-authmeth-15.txt
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Extension: WG Last Call: draft-ietf-ldapbis-authmeth-15.txt
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Extension: WG Last Call: draft-ietf-ldapbis-authmeth-15.txt
Next by Date: Re: Extension: WG Last Call: draft-ietf-ldapbis-authmeth-15.txt
Index(es):
- Chronological
- Thread