[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAPDN and AuthMeth/DIGEST-MD5

To: Mark Wahl <M.Wahl@INNOSOFT.COM>
Subject: Re: LDAPDN and AuthMeth/DIGEST-MD5
From: "Kurt D. Zeilenga" <kurt@boolean.net>
Date: Fri, 19 Nov 1999 18:17:16 -0800
Cc: ietf-ldapext@netscape.com
In-reply-to: <17159.943060862@threadgill.austin.innosoft.com>
Resent-date: Fri, 19 Nov 1999 18:19:31 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"LkL0GC.A.NHB.qUgN4"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

> let me see if I can summarize each person's position

My position is that users should be able to authenticate securely
regardless of whether they provide a DN or non-DN authorization
identity to the client.

I believe non-DN authorization identities should be encapulated
within an LDAPDN so as to avoid introduction of a second on-the-wire
representation of authorization identities.

I believe that the server, upon successful authentication, SHOULD
determine DN representing the user which is usable as the
creatorsname, modifiersname, ACL subjectDN, etc..  This DN may
or may not be the same DN provided by the client.

Lastly, the DIGEST-MD5 mechanism described by AuthMeth does
not work for DN-based authorization identities.  A canonical
utf8 representation of DNs is necessary.



----
Kurt D. Zeilenga		<kurt@boolean.net>
Net Boolean Incorporated	<http://www.boolean.net/>

References:
- Re: LDAPDN and AuthMeth/DIGEST-MD5
  - From: Mark Wahl <M.Wahl@INNOSOFT.COM>

Prev by Date: Re: Authz/Authc state upon start TLS
Next by Date: Re: LDAPDN and AuthMeth/DIGEST-MD5
Index(es):
- Chronological
- Thread