Re: SASL/EXTERNAL and CLDAP

[Bruce Greenblatt <bgreenblatt@directory-applications.com>]

At 11:05 AM 06/05/2000 -0700, Kurt D. Zeilenga wrote:
> At 12:32 PM 6/5/00 -0500, Mark Wahl wrote:
> >I would prefer that the SASL EXTERNAL mechanism be used to pick up the
> >IPSEC credentials to the LDAP level, rather than a new protocol field.
>
> I agree that SASL/EXTERNAL can and should be used to pick lower
> level credentials associated with connection.  Those credentials
> can be provided by TLS, IPSEC, or other lower layer associated
> with the connection.
>
> However, SASL (including SASL/EXTERNAL) cannot be used with
> connectionless protocols, you must have a connection to use
> SASL.  CLDAP should not overload/redefine any existing
> authentication choice nor any specification of those choices.


Why couldn't I write a draft titled "Using SASL/EXTERNAL mechanism in 
connectionless protocols"?  As I read RFC 2222, it only says that it 
defines how to use SASL over connection oriented protocols.  It doesn't 
appear to say that there is no way to ever use SASL/EXTERNAL within UDP.

Bruce

> Given that Connection-less LDAP cannot make use of SASL, it
> should (must) define a separate choice (and specification)
> which provide for secure authentication.  This choice can be
> based upon SASL/EXTERNAL, but it is not SASL/EXTERNAL as it
> would be defined in a manner which supports connection-less
> transports.
>
> Kurt