[Date Prev][Date Next] [Chronological] [Thread] [Top]

draft-ietf-ldapext-x509-sasl "On Hold"

To: Mark Wahl <M.Wahl@INNOSOFT.COM>, ietf-ldapext@netscape.com, Steve.Kille@messagingdirect.com
Subject: draft-ietf-ldapext-x509-sasl "On Hold"
From: Patrik Fältström <paf@swip.net>
Date: Mon, 24 Apr 2000 13:27:42 -0700
Cc: Ned Freed <Ned.Freed@INNOSOFT.COM>, IESG-Secretary <iesg-secretary@ietf.org>, "Jeffrey I. Schiller" <jis@mit.edu>, mleech@nortelnetworks.com
Resent-date: Mon, 24 Apr 2000 22:03:25 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <D_pZzD.A.4_E.KcSB5@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

This was the comments from the Security ADs in the IETF regarding this document. Note that they recommend "not publish" if not the wg can make a point on why this is needed, especially with proxy support the way it is specified.

Mark, please inform me what the wg want to do. Alternatives as I see it include (a) withdrawing the document completely and (b) updating the text, and communication directly with SEC ADs so they get happy.

Until I hear what you want to do, the document is "On Hold" in the IESG.

   Regards, Patrik

From: Jeffrey Schiller <jis@mit.edu>
Date: Mon, 28 Feb 2000 02:19:14 GMT
Subject: Re: draft-ietf-ldapext-x509-sasl
To: Patrik Fältström <paf@swip.net>
CC: Jeffrey Schiller <jis@mit.edu>, Steve Coya <scoya@ietf.org>, jis@mit.edu,
        mleech@nortelnetworks.com, moore@cs.utk.edu

I should have my latest round of comments tonight or tomorrow.

However we have a fundamental disagreement hiding (or not) here. My
basic problem with the document is that it proposes a fairly heavy
weight authentication mechanism (using public key cryptography and a
certificate hierarchy) and then tosses away all of the advantages.

One clear example is that this mechanism claims that it can be used
through proxies. Yet there is no way specified to authenticate that
the proxy is in fact a proxy and not an attacker who is inserting
himself in the data path and observing and modifying data going from
client to server. If this kind of thing is allowed, then what is the
point of having the security... so you can say so?

					-Jeff

Original Message <<<<<<<<<<<<<<<<<<


On 2/25/00, 7:21:13 PM, Patrik Fältström <paf@swip.net> wrote regarding
Re: draft-ietf-ldapext-x509-sasl:

--On 2000-02-25 17.10 +0000, Jeffrey Schiller <jis@mit.edu> wrote:

 > Yep, big problems. This is the document I mentioned on the call
 > yesterday. It should not be published.

Can you please then be the one suggesting text to be sent to the

ldapext wg?

paf

At 9:39 AM -0500 2/28/00, Marcus Leech wrote:

Give this document to any security person, and they'll likely say
  "what's the point, exactly?"

Prev by Date: OpenLDAP server design doc
Next by Date: Re: LDAP Subentry and naming
Index(es):
- Chronological
- Thread