[Date Prev][Date Next] [Chronological] [Thread] [Top]

draft-ietf-ldapext-ldapv3-tls-06.txt

To: ietf-ldapext@netscape.com
Subject: draft-ietf-ldapext-ldapv3-tls-06.txt
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Thu, 10 Feb 2000 10:12:38 -0800
Cc: jhodges@oblix.com, RLBob Morgan <rlmorgan@cac.washington.edu>, Mark Wahl <M.Wahl@INNOSOFT.COM>, LDAP extensions <ietf-ldapext@netscape.com>
In-reply-to: <200002101717.JAA01460@breakaway.Stanford.EDU>
Resent-date: Thu, 10 Feb 2000 10:12:51 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <2hirQC.A.HxG.Z-vo4@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Jeff,

I have only significant concern.

In 6.1.2:
	[Upon failure of BIND SASL/EXTERNAL...]
	The LDAP association's authentication identity and
       authorization identity (if any) which were in effect
       after TLS establishment but prior to making the Bind request,
       MUST remain in force.

This is inconsistent with RFC 2251 prescribed behavior:
  Clients MAY send multiple bind requests on a connection to change
  their credentials. ...  Authentication from earlier binds
  are subsequently ignored, and so if the bind fails, the connection
  will be treated as anonymous.

I can find no compelling reasoning why BIND failure whilst
TLS is enabled should have special behavior.  I believe this an
unnecessary complication.  I believe there are many good reasons
why this BIND behavior should be consistent without regard to TLS
(or IPSEC or whatever).  Reasons: simplicity of specification,
implementation, and use.

The general rule for security is simplicity.  Why the complication?

Follow-Ups:
- draft-ietf-ldapext-ldapv3-tls-06.txt proposed change
  - From: RL 'Bob' Morgan <rlmorgan@washington.edu>

References:
- Please publish this I-D: draft-ietf-ldapext-ldapv3-tls-06.txt
  - From: jhodges@oblix.com

Prev by Date: Re: RFC2251: RootDSE subschemasubentry issue
Next by Date: Re: LDAP subtree search with zero-length DN for baseObject?
Index(es):
- Chronological
- Thread