[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Authentication Methods for LDAP - last call

To: Paul Leach <paulle@MICROSOFT.com>
Subject: RE: Authentication Methods for LDAP - last call
From: Chris Newman <Chris.Newman@INNOSOFT.COM>
Date: Tue, 18 Aug 1998 13:08:46 -0700 (PDT)
Cc: "'ietf-ldapext@netscape.com'" <ietf-ldapext@netscape.com>
In-reply-to: <CB6657D3A5E0D111A97700805FFE65875D74A6@RED-MSG-51>
Resent-date: Tue, 18 Aug 1998 13:08:57 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"ZSFx-2.0.Ks.KzTsr"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

On Thu, 13 Aug 1998, Paul Leach wrote:
> I agree it would be nice to have a spec for Digest as a SASL mechanism. I
> also think it would be much better if section 8.1 said "here's how to use a
> SASL mechanism in LDAP"; it shouldn't need to mention CRAM-MD5 at all if it
> is well enough specified as a SASL mechanism. Of course, as you noted, there
> is no spec that says "here's how to use CRAM-MD5 as a SASL mechanism",
> either, and being more explicit there couldn't hurt.

CRAM-MD5 is a SASL mechanism.  The basics of a SASL mechanism are that it
involves an alternating exchange of singleton octet-strings between client
and server and is not designed for use by a single protocol.  HTTP digest
relys on the syntax structure provided by the HTTP authentication header. 
While it is possible to recast it as a SASL mechanism, it involves
inheriting syntax from the HTTP base spec.

RFC 2222 (SASL) is a proposed standard revision of RFC 1731 (also a
proposed standard).  The primary difference is that RFC 2222 includes
rules for how to define a SASL profile and mechanism.

RFC 2251 (LDAP spec) includes a SASL profile.  Unfortunately, it missed
two of the RFC 2222 requirements for a SASL profile -- namely to define
the meaning of an authorization ID in LDAP and include a GSSAPI service
name (which has now been registered with IANA).  With the exception of
those two oversights, there is a complete specification of how to use
CRAM-MD5 in LDAP already on the standards track.

Now I think the auth-meth draft goes into much more detail about how
CRAM-MD5 is used than is really necessary.  But I'm not about to complain
about a spec which goes into too much detail unless there were a chance
for aliasing.

BTW, the CRAM-MD5 spec could be revised to reference SASL rather than RFC
1731/1734 at any time -- the change is only a change in reference, not in
content. The plan is to do so when CRAM-MD5 and SASL move to draft
standard.  I've already interoperability tested CRAM-MD5 in our IMAP
server with about 5 different clients and in our SMTP server with several
clients.  CRAM-MD5 has been ready to move to draft standard for months,
with only the normative reference to SASL (and it's precursor) holding it
back. 

		- Chris

References:
- RE: Authentication Methods for LDAP - last call
  - From: Paul Leach <paulle@microsoft.com>

Prev by Date: WORLDS' GREATEST ........
Next by Date: RE: Authentication Methods for LDAP - last call
Index(es):
- Chronological
- Thread