[Date Prev][Date Next] [Chronological] [Thread] [Top]

LDAPDN and AuthMeth/DIGEST-MD5

To: ietf-ldapext@netscape.com
Subject: LDAPDN and AuthMeth/DIGEST-MD5
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.Org>
Date: Thu, 18 Nov 1999 15:45:00 -0800
Resent-date: Thu, 18 Nov 1999 15:47:02 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"6z486.A.ytF.u_IN4"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

The AuthMeth draft does not specify a canonical DN form
for use with the DIGEST-MD5 algorithm.   Without such, the
server must dynamically determine response-value based upon
user provided DN and cleartext password stored for with this
DN.

I believe the AuthMeth draft should specify a canonical
DN form for use with the DIGEST-MD5 and similar mechanisms.
In fact, it may be appropriate to require use of this form
within AuthzIDs (though I suggest we remove AuthzIDs
altogether, but that another thread).

The AuthMeth draft should also clarify as whether or not the
DIGEST-MD5 username (and/or authzid) string provided by
client is string encoding of a DN, a string encoding of an
AuthMeth authzId, or a string encoding of a AuthMeth uAuthzId
userid value.  

I should also note that AuthMeth draft defined keywords
are easily confused with DIGEST-MD5 keywords (authzid
vs authzId).  I suggest that AuthMeth rename its authzId
keyword.

In addition, The AuthMeth document does not describe if or
how applications may advance features of DIGEST-MD5, such
as integrity protection and confidentiality protection.
The draft should explicitly note that these features are not
covered under this specification.

Prev by Date: Re: I-D ACTION:draft-mmeredit-rootdse-vendor-info-00.txt
Next by Date: RE: Policy in IETF APIs (was: Standards and APIs)
Index(es):
- Chronological
- Thread