> -----Original Message-----
> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.Org]
> Sent: Friday, December 10, 1999 1:36 PM
>
> >> However, I do believe that we need to provide a secure Bind
> >> mechanism for authentication users who provide an LDAP DN as
> >> their authentication identity.
> >
> >I believe all the necessary protocol elements are in place
> >so that systems can be built that use LDAP DNs as their
> >authentication IDs. And for ones that don't.
>
> Given a canonical string representation for LDAP DNs, such that a
> client can map the DN provided by the user into the exact string
> representation expected by the server, I agree. However, we do
> not have specification for a canonical string representation for
> LDAP DNs.
We are in complete agreement on the last point, and in fact on all the previous ones you mentioned, _except_ for the claim that this is a deficiency of SASL/Digest, or even the province of SASL to specify.
I'm certainly happy to have the LDAP WG specify a canonical form of user names that are LDAP DNs, and to recommend that systems that use DNs as their user name support it. However, from SASL's point of view, the only requirement is that the same string be used consistently.
Paul