[Date Prev][Date Next] [Chronological] [Thread] [Top]

comments: draft-weltman-ldapv3-proxy-05.txt

To: robw@worldspot.com
Subject: comments: draft-weltman-ldapv3-proxy-05.txt
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Mon, 23 Oct 2000 09:18:10 -0700
Cc: ietf-ldapext@netscape.com

Rob,

Most (but not all) of this is a repeat of past comments.
  http://www.OpenLDAP.org/lists/ietf-ldapext/200007/msg00262.html
I include all current comments below for completeness:

Abstract: "The Proxied Authorization Control allows a connection with
sufficient privileges to assume the identity of another entry for the
duration of an LDAP request."

"duration of an LDAP request" implies the control may affect
unrelated operations (in the same session) which are concurrently
being processed.  "of another entry" assumes that the identity
refers to an entry.   An authorization identity does have to refer
to an entry, let alone be a DN.  I suggest:
  "The Proxied Authorization Control allows a client to request
  that an operation be processed under a provided authorization
  identity instead of as the current authorization identity
  associated with the session [RFC2829]."

Note that I suggest you add a reference to RFC 2829 as it provides
the technical specification of authentication methods in LDAP
including the specification of authorization identity forms.


2. Publishing support for the Proxied Authorization Control

s/supportedExtensions/supportedControl/


3. Proxied Authorization Control
   This control may be included in any search, compare, modify,
   delete, or modrdn request message as part of the
   controls field of the LDAPMessage, as defined in [1].

Cannot be used with add?  What about extended operations?
Obviosiusly it makes not sense to allow use with StartTLS,
but there are others which this control would be quite useful.  

The syntax of controlType should be LDAPOID and have
the value of the assigned OID.

I suggest you add a statement that servers recognizing this
control MUST return an error if the control is not marked
as being critical.

   The controlValue contains the BER encoding of a DN used for
   evaluating the requested rights:

Suggest (needs work):  The control value is the BER encoded
proxyAuthValue where proxyDN (proxyAuthzId) contains the
value representing the authorization identity who's rights
are requested.

Note that RFC 2829 prescribes an authorization identity
form authzId be used with LDAP authentication operations.
I suggest it used here as well.


4. Permission to execute as proxy

"This means that fewer results, or no results, may be returned"
I assume you meant fewer entry and references responses, not
results.


5. Security Considerations

A more detailed security analysis may be appropriate.  In
particular of dangers of using this control in environments
without appropriate integrity and confidentiality protections
The risk of a control being added/modified/removed in transit
should be briefly discussed.

The I-D states:
  No additional confidential information is passed in the control.

I suggest:
  This control allows for an additional authorization identity
  to be passed.  In some deployments, these identities may contain
  confidential information which require privacy protection.

Prev by Date: Re: Comments: draft-mmeredith-rootdse-vendor-info-03.txt
Next by Date: Re: RFC 2596 questions
Index(es):
- Chronological
- Thread