[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authlevel in LDAP ACI

To: Ellen Stokes <stokes@austin.ibm.com>
Subject: Re: Authlevel in LDAP ACI
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Wed, 19 Apr 2000 07:36:41 +0200
Cc: "Volpers, Helmut" <helmut.volpers@icn.siemens.de>, ietf-ldapext-acm@OpenLDAP.org
In-reply-to: <4.2.2.20000418204043.00a2c830@popmail2.austin.ibm.com>
References: <E1EB691EEC98D311A7CC0050DA3D835708BC12@pappel.mch.sni.de>

At 08:45 PM 4/18/00 -0500, Ellen Stokes wrote:
>Here's a sketchy BNF for incorporating authentication strength
>and mechanism per today's discussion.
>
>< ldapACI > ::= < acl entry syntax >
>
>< acl entry syntax > ::= <familyOID> + '#' + <scope > + '#'
>                              + < rights >  + '#' + < dnType >
>                              + < authLevel > + '#' + < subjectDn >
>
>< authLevel > ::= "none" | "simple" | <strong>
>
>< strong > ::= "strong" | < SASLauth >
>
>< SASLauth > ::= "SASL" + ':' + < SASLmech >
>
>< SASLmech > ::= "EXTERNAL" | "DIGEST-MD5" | "KERBEROS-ID" |< printableString 

KERBEROS-ID is not a SASL mechanism, it's a form of authorization
(access) identity.

>
>Assumption here is that anything other than none or simple is strong and 
>strong can
>be specified as strong (any other mechanism) or an explicit mechanism.

This use of "strong" is misleading.  Simple authentication when
solid privacy and integrity are in place (ala TLS, IPSEC) is
actually stronger than DIGEST-MD5 without such protections.

Follow-Ups:
- Re: Authlevel in LDAP ACI
  - From: Ellen Stokes <stokes@austin.ibm.com>

References:
- Re: Authlevel in LDAP ACI
  - From: Ellen Stokes <stokes@austin.ibm.com>

Prev by Date: Re: Authlevel in LDAP ACI
Next by Date: Re: Authlevel in LDAP ACI
Index(es):
- Chronological
- Thread