Re: SASL/EXTERNAL and CLDAP

[Bruce Greenblatt <bgreenblatt@directory-applications.com>]

At 12:38 PM 06/05/2000 -0700, Kurt D. Zeilenga wrote:
> At 11:31 AM 6/5/00 -0700, Bruce Greenblatt wrote:
> >Why couldn't I write a draft titled "Using SASL/EXTERNAL mechanism in
> >connectionless protocols"?
>
> SASL/EXTERNAL is a part of SASL.  SASL is designed for use
> by application protocols which use connection oriented transports.


Yes, I know that.  RFC 2222 (which defines SASL) doesn't say that you can't 
use it inside of UDP as Mark Wahl suggested.  It seems as if it would be 
straightforward to define the mechanism that would allow this to work in 
such a way that the SASL "pick(s) up the IPSEC credentials to the LDAP 
level".  SASL (i.e. RFC 2222) doesn't prevent this, it just doesn't define 
how it works.

Bruce


> Though one can base a new framework for application protocols
> which use connectionless transports, any Standard Track specification
> for such must be complete.  Defining a connectionless SASL/EXTERNAL
> without connectionless SASL makes no sense to me.  Anyways, such
> work would likely be out of scope of CLDAP and LDAPext WG.
>
> CLDAP must provide a secure authentication mechanism designed
> for use with the intended transport.   In lieu of a general
> framework supporting connectionless transports, I suggest a
> simple, yet secure authentication choice be added.  However,
> there may be other choices, I would suggest we consult the
> Security Area folks for a recommendation in this area.