Re: comments on draft-ietf-ldapext-authmeth-01.txt

[Mark Wahl <M.Wahl@critical-angle.com>]

Thank you for your careful review of this document.  I have no problem 
making changes to the authentication methods draft based on many of your 
comments.  

However, authorization identities presented to LDAP servers by clients through 
SASL mechanisms are and should remain the string form of LDAP Distinguished 
Names.  There are already specifications and/or conventions of mechanisms for 
representing other forms of identifiers, such as URLs, domain names and RFC 822
mail addresses, as attributes, and I believe it would be possible to specify 
most any other type of authorization id as a representation in an attribute 
type and value and thus be usable in a DN.  This allows an LDAP server to have 
a consistent mechanism to handle the representation of authorization identities,
support multiple forms of authorization simultaneously for different clients, 
and allow for authorization of clients whose entry is held by that server.

Allowing arbitrary strings in place of DNs would lead to a significant 
interoperability problem: how does a server recognize a string as belonging to 
a particular method of authorization, how could it route the authorization 
process to the appropriate component for verification, and how could a set of 
cooperating servers interwork without a common or replicatible mechanism for 
performing access control checks?  While DNs are not a universal panacea, for 
these reasons I believe their strong typing and hierarchical aspects are 
beneficial for representing authorization information.

Mark Wahl, Directory Product Architect
Innosoft International Inc. / Critical Angle Inc.