RE: X.509 SASL Mechanism

[Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au>]

> -----Original Message-----
> From:	Steve Kille [SMTP:S.Kille@isode.com]
> Sent:	Wednesday, May 20, 1998 6:33 PM
> To:	ietf-ldapext@netscape.com
> Subject:	X.509 SASL Mechanism
> 
> I submitted a draft on an X.509 SASL mechanism to this WG.  I have
> received technical input on this, and comments that this work is
> useful (none negative so far).  
> 
> I spoke with the area director and the WG chairs.  They view that the
> LDAPEXT WG is the right place for this work,  and are happy to see
> this added to the charter, provided that the WG as a whole is OK with
> this.
> 
> I propse that developing a SASL based mechanism using X.509 is added
> to the charter of this WG.   
> 
> Are there any objections to this?
> 
	None - but the issue of distributed, mutual athentication
between servers and interface to CA directories has to be looked at.
While LDAP is non distributed - it seems a bit pointless using X.509 and
Key mgt mechanisms and strong auth to get to your information in your
server at your place. And if one wants to get at other servers (without
X.500 backbones) with LDAP only one has to replicate everthing to every
where. ie. the LDAP only concept is broken for big directory systems
that may have many CA directories providing cert paths. ie the LDAP
server (unless one has the LDAP configuration army) has to support the
certificates that it uses including the complete certificate path to all
its CAs which must use the server in question.

	Interface mechanisms can be interesting, but a single server
architecture that gets more and more complex with mechanisms without
scaleable utility is not that useful.

	OR perhaps this work will assume the full support of a
distributed X.500 infrastructure. In that case why not X.500 Bind/X.509
authentication processes instead of SASL.

	regards alan
> Steve Kille
> 
>