[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Updated version of "X.509 Authentication SASL Mechanism

To: Steve Kille <S.Kille@isode.com>
Subject: Re: Updated version of "X.509 Authentication SASL Mechanism
From: Chris Newman <Chris.Newman@innosoft.com>
Date: Wed, 01 Jul 1998 11:29:41 -0700 (PDT)
Cc: IETF LDAP Extensions WG <ietf-ldapext@netscape.com>
Delivered-to: ldapext-archive@critical-angle.com
In-reply-to: <1042.899277808@isode.com>
Resent-date: Wed, 1 Jul 1998 11:29:13 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"10pQT2.0.4X5.p_dcr"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

On Wed, 1 Jul 1998, Steve Kille wrote:
> 2) I added the "generation-time" field, and Sean questioned its use.
> This time information is allowed in the general X.509 framework,
> althoug X.500 does not use it.  It seems to me that the party doing
> the authentication may have a policy on timeouts, and so this field
> may be useful in addition to the "time" field which is set according
> to the policy of the party being authenticated.  I'd appreciate input
> on this.

I'd be inclined to leave it out.  While the concept of restricting the
timeout length is interesting, I don't think it's complete without a way
to find out the other party's policy.  Once you add policy discovery to
the mix, it's probably too complex to be worth it for this case.

		- Chris

References:
- Updated version of "X.509 Authentication SASL Mechanism
  - From: Steve Kille <S.Kille@isode.com>

Prev by Date: Re: The X.509 SASL document
Next by Date: Re: The X.509 SASL document
Index(es):
- Chronological
- Thread