RE: C LDAP API: security considerations

[Harald Tveit Alvestrand <Harald@Alvestrand.no>]

At 09:13 15.11.99 -0800, Paul Leach (Exchange) wrote:

> You propose a fine mechanism.
>
> I would note that it is _not_ implemented in IE. It is implemented _below_ 
> the WinInet API, which is the layer that IE, and lots of other apps, use 
> to do HTTP. I.e., it is the moral equivalent of the LDAP API.

:-)

I expect that any real system will have multiple layers of API, and that 
the lower layers get standardized first (kind of having standard base 
classes and non-standard derived classes in an OO model).

we standardize what we can agree upon.


> >
> > For servers in the "expensive" zone, the UI will pop up a
> > dialog box before
> > chasing a referral.
>
> I would note that one can't rely on any client-side mechanism to prevent 
> denial-of-service attacks on the server, if that was your intent. In 
> particular, the "expensive" zone won't prevent malicious clients from 
> bogging down LDAP servers with public key operations. For non-malicious 
> clients, the 20ms or so of CPU it costs for the public key operations is 
> not likely to be a big deal worth annoying the user about. (Whereas it is 
> a big deal to limit servers to the 50-100 requests per second that such a 
> CPU cost implies.)

of course - I imagined the "expensive" zone to contain things like 
Dun&Bradstreet database lookups - basically when the client pays real money 
for the info, not related to denial-of-service.

My concern is that a client should be *able* to behave in a way that is 
both non-malicious and secure; at the moment I don't think we're ready to 
standardize this, so following referrals should be done above the API layer 
that we're currently attempting to standardize.

                                  Harald

--
Harald Tveit Alvestrand, Maxware, Norway
Harald.Alvestrand@maxware.no