[Date Prev][Date Next] [Chronological] [Thread] [Top]

comments on draft-ietf-ldapext-ldapv3-tls-01.txt

To: "ietf-ldapext@netscape.com LDAPEXT" <ietf-ldapext@netscape.com>
Subject: comments on draft-ietf-ldapext-ldapv3-tls-01.txt
From: Helmut.Baumgaertner@mch.sni.de (Helmut Baumgaertner)
Date: Wed, 22 Jul 1998 15:25:19 +0200
Resent-date: Wed, 22 Jul 1998 06:07:54 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"xCKvE2.0.8L3.fGUjr"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

>3.3. Response other than "success"
>
>this indicates that the server is unwilling or unable to negotiate TLS.
>
>If the Start TLS extended request was not successful, the resultCode
>will be one of:
>     operationsError    (operations sequencing incorrect; e.g. TLS already
>                         established)
>
>     protocolError      (TLS not supported or incorrect PDU structure)
>
>     referral           (this server doesn't do TLS, try this one)
>
>     unavailable        (e.g. some major problem with TLS, or server is
>                         shutting down)
>
Any particular reason for not using authMethodNotSupported as the resultCode in case the
LDAP server does not support TLS and cannot return a referral. This way protocolError
needs to be send only in case of invalid PDUs.

>4.6. Server Identity Check
>
>The client SHOULD check its understanding of the server's hostname
>against the server's identity as presented in the server's Certificate
>message, in order to prevent man-in-the-middle attacks.
>
>If a subjectAltName extension of type dNSName is present, it SHOULD be
>used as the source of the server's identity.
>

Paragraph is duplicate

>Matching is performed according to these rules:
>
>   - The client MUST use the server hostname it used to open
>     the LDAP connection as the value to compare against the
>     server name as expressed in the server's certificate.
>     The client MUST NOT use the server's canonical DNS name or
>     any other derived form of name.
>
>   - If a subjectAltName extension of type dNSName is present
>     in the certificate, it SHOULD be used as the source of the
>     server's identity.
In the absence of a subjectAltName extension of type dNSName in the certificate: how should
the compare algorithm should look like, as the only ldap server name in the cert - the
subjectName field - will be an X.500 Distinguished Name? Some RDNs may contain rfc822MailBox
names or something else that allows a mapping onto the servers hostname.

The cert may also contain subjectAltName extensions distinct from dNSName, but nevertheless
suitable for identity check, e.g rfc822Name, uniformResourceIdentifier or iPAddress.
The original text seems to mandate, that an Ldap server needs to possess a cert with the
dNSName altName extension.
>
> - Matching is case-insensitive.
>
> - The "*" wildcard character is allowed.

begin:          vcard
fn:             Helmut Baumgaertner
n:              Baumgaertner;Helmut
email;internet: Helmut.Baumgaertner@mch.sni.de
x-mozilla-cpt:  ;0
x-mozilla-html: FALSE
end:            vcard

Prev by Date: general comment on <draft-ietf-ldapext-authmeth-02.txt>
Next by Date: Re: general comment on <draft-ietf-ldapext-authmeth-02.txt>
Index(es):
- Chronological
- Thread