[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: AuthzIDs or DNs, but not both

To: "Paul Leach (Exchange)" <paulle@Exchange.Microsoft.com>, "'Kurt D. Zeilenga'" <kurt@boolean.net>
Subject: Re: AuthzIDs or DNs, but not both
From: Bob Blakley <blakley@dascom.com>
Date: Tue, 16 Nov 1999 08:59:54 -0600
Cc: IETF LDAP Extensions WG <ietf-ldapext@netscape.com>
Resent-date: Tue, 16 Nov 1999 06:57:09 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"I0ZxfC.A.AwC.4CXM4"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Title: RE: AuthzIDs or DNs, but not both

--bob

Bob Blakley (blakley@dascom.com)
Chief Scientist, Dascom

>There are, I believe, strong arguments that the mere existence of authzid is

>a layering violation. The authentication protocol is the owner of identification

>and of the forms of identities, not application protocols.

I agree that there are strong arguments, and I agree with those arguments. I think authorization data

should *never* be carried as part of an authentication and key exchange protocol, except as

an implementation convenience, for performance purposes, collapsing a formal architecture in

which authorization information should be encapsulated within an authenticated session. In other

words, authorization information should be layered above authentication protocols -- always.

>And SASL has a way of handling authzid.

BEGIN:VCARD
VERSION:2.1
N:Blakley;Bob
FN:Bob Blakley
ORG:Dascom
TITLE:Chief Scientist
TEL;WORK;VOICE:+1 (512) 458-4037 x 5012
TEL;WORK;FAX:+1 (512) 458-2377
ADR;WORK;ENCODING=QUOTED-PRINTABLE:;;Plaza Balcones=0D=0A5515 Balcones Drive;Austin;TX;78731;USA
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:Plaza Balcones=0D=0A5515 Balcones Drive=0D=0AAustin, TX 78731=0D=0AUSA
URL:
URL:http://www.dascom.com
EMAIL;PREF;INTERNET:blakley@dascom.com
REV:19991116T145954Z
END:VCARD

Prev by Date: Re: C LDAP API: security considerations
Next by Date: Begin Today
Index(es):
- Chronological
- Thread