[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: comments: draft-weltman-ldapv3-proxy-05.txt

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: comments: draft-weltman-ldapv3-proxy-05.txt
From: Rob Weltman <robw@worldspot.com>
Date: Wed, 01 Nov 2000 08:56:44 -0800
Cc: ietf-ldapext@netscape.com
References: <5.0.0.25.0.20001023091802.00a93070@router.boolean.net>

Kurt,

  I have taken into account your comments in a new draft which I will be submitting shortly. But there are a couple of points I disagree with (or don't fully understand). See below.

Rob

"Kurt D. Zeilenga" wrote:
> 
> The syntax of controlType should be LDAPOID and have
> the value of the assigned OID.

  That's part of the control spec of RFC 2251 (section 4.1.12), not something that can be defined by an individual control.

> 
> I suggest you add a statement that servers recognizing this
> control MUST return an error if the control is not marked
> as being critical.

  The draft defines the syntax of the control, including the required criticality. I don't think this case is different from any others - the server should reject invalid syntax.

> "This means that fewer results, or no results, may be returned"
> I assume you meant fewer entry and references responses, not
> results.

  Search results consist of entries and references.

> 5. Security Considerations
> 
> A more detailed security analysis may be appropriate.  In
> particular of dangers of using this control in environments
> without appropriate integrity and confidentiality protections
> The risk of a control being added/modified/removed in transit
> should be briefly discussed.

  If the control is used in an environment where it's contents can be altered by an intruder, the intruder can do much worse things than add/alter/remove a proxied auth control. The intruder can change the results returned by the request (including making it fail altogether or succeed where it wouldn't have otherwise) by adding/altering/removing the control, but it could do so by adding/altering/removing any other part of the request as well. An intruder can't grab proxy rights for himself/herself without being an authentication identity entitled to proxy rights. So I think the integrity issues are covered with the text in the draft:

"The Proxied Authorization Control method is subject to standard LDAP
security considerations. The control may be passed over a secure as
well as over an insecure channel."

  I'm adding a sentence about the control including an additional identity, which may be of concern in some environments.

Follow-Ups:
- Re: comments: draft-weltman-ldapv3-proxy-05.txt
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Could You Use an Extra $30,000 for the Holidays This Year? [mlimz]
Next by Date: Re: Comments: draft-weltman-ldapv3-auth-response-02.txt
Index(es):
- Chronological
- Thread