[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: AuthMeth issue summary

To: 'Mark Wahl' <M.Wahl@INNOSOFT.COM>, "Kurt D. Zeilenga" <Kurt@OpenLDAP.Org>
Subject: RE: AuthMeth issue summary
From: "Paul Leach (Exchange)" <paulle@Exchange.Microsoft.com>
Date: Fri, 10 Dec 1999 11:47:00 -0800
Cc: ietf-ldapext@netscape.com
Resent-date: Fri, 10 Dec 1999 12:50:49 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"YiPj8B.A.4KG.feWU4"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Title: RE: AuthMeth issue summary

> -----Original Message-----
> From: Mark Wahl [mailto:M.Wahl@INNOSOFT.COM]
> Sent: Tuesday, December 07, 1999 12:52 PM
> To: Kurt D. Zeilenga
> Cc: ietf-ldapext@netscape.com
> Subject: Re: AuthMeth issue summary
>
>
>
> One background item is that we are trying to provide interoperability
> between LDAP users of SASL in advance of all of the SASL
> framework being
> completed as PS RFCs. Some of your issues are more generic
> SASL discussion
> points.   In authmeth-04 as part of a compromise between some
> of the groups of
> implementors / users of authorization IDs in LDAP, we
> provided a specification
> of authorization identities that allows for both DNs and
> arbitrary user
> identities. (RFC 2222 4. #5 states that a protocol defines
> how the authorization
> identity is to be interpreted). I would hope that there would
> be a SASL work
> item at some point to more fully define how authorization
> identities can be
> used that is independent of the underlying protocol: e.g. I
> want to have a
> common authorization identity for a Web site accessed via
> HTTP, an IMAP store,
> an LDAP directory, etc. Furthermore I would want to ensure
> that access control
> systems which use authorization identities in implementations
> of each of
> the underlying protocols can make interoperable decisions,
> such as how to
> - validate an authorization identity (e.g. identities with a
> expiry date)
> - compare two authorization identities for equality,
> - map different kinds of real-world identities to authorization ids,
> - express containment, wildcards, role<->occupant and group<->member
>    relationships between authorization identities,
> - know whether an authorization identity is a capability and
> should be
>    protected as such etc

I don't believe that most of this is the province of SASL.

1. Authenticate protocols authenticate identities. They don't care what the identities _are_.
2. Authorization mechanisms deal with issues like group membership, not authentication protocols.
3. Ditto with capabilities.
4. Ditto with account expiration.

Paul

Prev by Date: Your email...
Next by Date: Re: AuthMeth issue summary
Index(es):
- Chronological
- Thread