Re: Security Considerations indraft-weltman-ldapv3-auth-response-01.txt

[rweltman@netscape.com (Rob Weltman)]

  Per previous messages: I originally proposed something more along the lines of what you have suggested - a control or extended operation which could be issued at any time to query the authentication identity of a connection. Mark Wahl had a strong argument at the time (a year ago) for why it would be better to have an unsolicited control returned on bind. I don't remember what that strong argument was... Maybe Mark can add to this discussion.

"Kurt D. Zeilenga" wrote:

> I suggest noting explicitly in Security Considerations that the
> control is not protected by the SASL privacy or integrity
> protection negotiated by the BIND process returning this control.
> A client requiring such protection must rely on independent
> services, such as TLS or IPSEC, or use some operation after
> negotiating SASL protection services.

  That could be added, but note that the information being returned in the control is not a password, but just the identity (DN) of the authenticated connection.

>
>
> Because of this consideration, I can see the need for an extended
> operation to obtain authorization information post BIND.
>
> BTW, what's the intended track of this document?  I suggest
> adding a note to the draft indicating your intent.

  It depends a little on the interest among participants on this list.

Thanks,
Rob