[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Fwd: I-D ACTION:draft-ietf-ldapbis-authmeth-16.txt

To: "Roger Harrison" <RHARRISON@novell.com>
Subject: Re: Fwd: I-D ACTION:draft-ietf-ldapbis-authmeth-16.txt
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Tue, 18 Oct 2005 16:28:48 -0700
Cc: <ietf-ldapbis@OpenLDAP.org>
In-reply-to: <4354A9D3.DBA8.00BF.0@novell.com>
References: <E1EQVZ3-0000lw-TW@newodin.ietf.org> <4354A9D3.DBA8.00BF.0@novell.com>

The following section 3.1.5.1 needs some clarification:
   The "*" wildcard character is allowed in subjectAltName values of
   type dNSName.  If present, it matches only the left-most label from
   the subjectAltName.  For example, *.bar.com would match a.bar.com   
   and b.bar.com, but it would not match a.x.bar.com nor would it match
   bar.com.

I suggest:
   The '*' (ASCII 42) wildcard character is allowed in subjectAltName
   values of the type dNSName and then only as the left-most
   (least significant) DNS label in that value.  This wildcard
   matches any left-most DNS label in the server name.  That is,
   the subject *.example.com matches the server names
   a.example.com and b.example.com but not the server name
   example.com.

-- Kurt

At 06:52 AM 10/18/2005, Roger Harrison wrote:

>Authmeth-16 resolves all outstanding comments from the ldapbis WG on previous revisions of the draft. Some fairly substantial changes were needed for server identity check (section 3.1.5)  and authorization state (section 4) in particular. Please review and get me comments by the end of day Thursday to help me get the -17 draft published prior to the IETF 64 meeting 
>
>Summary of changes for draft-ldapbis-authmeth-16 
>
>General 
>
>    - Resolved all known outstanding issues and comments for -15 draft. 
>
>    - Numerous edits for clarity and consistency. 
>
>    - Renamed simple authentication mechanism to name/password mechanism. 
>
>    - Resolved some remaining issues with session/connection terminology 
>
>    - Replaced DIGEST-MD5 SASL authentication mechanism with name/password authentication protected with TLS as the "strong" mandatory-to-implement for LDAP. 
>
>    - Removed all normative references to SASL DIGEST-MD5 mechanism. 
>
>    - Moved sections on authentication mechanisms of the simple bind method into Simple Authentication Method. 
>
>    - Moved sections on SASL profile and SASL authentication mechanisms into section SASL Authentication Method section. 
>
>Section 3.1.5 
>
>    - Rewrote server identity check algorithm. 
>
>Section 4 
>
>    - Rewrote authorization state section. 
>
>Section 5.1.2.7 
>
>    - Added text indicating the the authzID is an construct that can be extended by future publications. 
>
>Appendix B 
>
>    - Began a new (and currently redundant) appendix to summarize substantive changes made to the protocol via this document. This appendix is currently unfinished. 
>
>Thanks, 
>
>Roger 
>
>
>>>> <Internet-Drafts@ietf.org> 10/14/05 1:50 pm >>>
>A New Internet-Draft is available from the on-line Internet-Drafts directories.
>This draft is a work item of the LDAP (v3) Revision Working Group of the IETF.
>
>Title: LDAP: Authentication Methods and Security Mechanisms
>Author(s): R. Harrison
>Filename: draft-ietf-ldapbis-authmeth-16.txt
>Pages: 46
>Date: 2005-10-14
>
>This document describes authentication methods and security
>   mechanisms of the Lightweight Directory Access Protocol (LDAP).
>
>   This document details establishment of Transport Layer Security
>   (TLS) using the StartTLS operation.
>
>   This document details the simple Bind authentication method
>   including anonymous, unauthenticated, and name/password mechanisms
>   and the Secure Authentication and Security Layer (SASL) Bind
>   authentication method including the EXTERNAL mechanism.
>
>   This document discusses various authentication and authorization
>   states through which a session to an LDAP server may pass and the
>   actions that trigger these state changes.
>
>A URL for this Internet-Draft is:
>http://www.ietf.org/internet-drafts/draft-ietf-ldapbis-authmeth-16.txt
>
>To remove yourself from the I-D Announcement list, send a message to
>i-d-announce-request@ietf.org with the word unsubscribe in the body of the message. 
>You can also visit https://www1.ietf.org/mailman/listinfo/I-D-announce
>to change your subscription settings.
>
>
>Internet-Drafts are also available by anonymous FTP. Login with the username
>"anonymous" and a password of your e-mail address. After logging in,
>type "cd internet-drafts" and then
>"get draft-ietf-ldapbis-authmeth-16.txt".
>
>A list of Internet-Drafts directories can be found in
>http://www.ietf.org/shadow.html
>or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
>
>
>Internet-Drafts can also be obtained by e-mail.
>
>Send a message to:
>mailserv@ietf.org.
>In the body type:
>"FILE /internet-drafts/draft-ietf-ldapbis-authmeth-16.txt".
>
>NOTE:The mail server at ietf.org can return the document in
>MIME-encoded form by using the "mpack" utility.  To use this
>feature, insert the command "ENCODING mime" before the "FILE"
>command.  To decode the response(s), you will need "munpack" or
>a MIME-compliant mail reader.  Different MIME-compliant mail readers
>exhibit different behavior, especially when dealing with
>"multipart" MIME messages (i.e. documents which have been split
>up into multiple messages), so check your local documentation on
>how to manipulate these messages.
>
>
>Below is the data which will enable a MIME compliant mail reader
>implementation to automatically retrieve the ASCII version of the
>Internet-Draft.
>

Follow-Ups:
- Re: Fwd: I-D ACTION:draft-ietf-ldapbis-authmeth-16.txt
  - From: "Roger Harrison" <RHARRISON@novell.com>

References:
- I-D ACTION:draft-ietf-ldapbis-authmeth-16.txt
  - From: Internet-Drafts@ietf.org
- Fwd: I-D ACTION:draft-ietf-ldapbis-authmeth-16.txt
  - From: "Roger Harrison" <RHARRISON@novell.com>

Prev by Date: Re: [Protocol] clarification on StartTLS resonse (WAS: authmeth-15notes)
Next by Date: Re: [Protocol] clarification on StartTLS resonse (WAS: authmeth-15notes)
Index(es):
- Chronological
- Thread