[Date Prev][Date Next] [Chronological] [Thread] [Top]

Comments on X.509 SASL Authentication Mechanism

To: Steve Kille <S.Kille@isode.com>
Subject: Comments on X.509 SASL Authentication Mechanism
From: Sean Turner <turners@ieca.com>
Date: Fri, 17 Apr 1998 12:10:10 -0400
Cc: ietf-ldapext@netscape.com
Delivered-to: ldapext-archive@critical-angle.com
Organization: IECA, Inc.
References: <6041.891225799@isode.com>
Resent-date: Fri, 17 Apr 1998 09:11:46 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"bupIh.0.5v2.oytDr"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Steve,

Hi!

Finally got around to reviewing your draft. All of my comment are on the SASLBindToken format (section 5).

The first sentence says that the format is based on the X.511 syntax so why is it different? Do the tags need to be the same for interoperability?

If you're not some much worried about having the same syntax then I'd suggest the following changes:

1. Can we change time to be either GeneralizedTime or Time, where Time (from X.509) is:
Time ::= CHOICE {
utcTime UTCTime,
generalizedTime GeneralizedTime }

2. Can we add a specific field for a random response? If we add the separate field then we don't have to specify special handling procedures for concatenation of the response random with the request random. Syntax as follows:

response [5] BIT STRING OPTIONAL,

If you don't add the response field I'd suggest adding text to describe the concatenation:

a. As initiator (or invoker), encode the initiator/invoker-supplied random number rA (a BIT STRING) in the form of a BIT STRING containing the value rA, encoded most significant bit first, potentially with leading 0's (i.e. it is legitimate to round off the bits to 8-bit boundaries).

b. As responder (or performer), encode the random number rB (a BIT STRING) in the form of a BIT STRING containing the simple concatenation of rA and rB. For example, if rA is 1A3C5016 and rB is 03E66016, then the resulting bitstring is the 1A3C5003E66016, again with most significant bit first; rA being retained as is, and rB potentially having leading 0's.

c. As initiator (or invoker), declare the returned credentials as invalid if the returning random1 or random bitstring is not the same as the outgoing bitstring with additional bits concatenated.

3. Do we need the generation-time field or is the time field understood to be the initiator's clock plus some value?

4. If we keep generation-time and subject-name can we re-tag them as [10] and [11], respectively? The '97 Token from X.511 already has tags numbered 5-9. Note the field tagged [5] is a random response field.

Cheers,

--
Sean Turner - IECA, Inc.

Follow-Ups:
- Re: Comments on X.509 SASL Authentication Mechanism
  - From: Steve Kille <S.Kille@isode.com>

Prev by Date: RE: draft-ietf-ldapext-ldapv3-txn-00.txt More ..
Next by Date: RE: LDAP C API draft - LDAPMessage lifetime?
Index(es):
- Chronological
- Thread