[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Comments: draft-weltman-ldapv3-auth-response-02.txt

To: Rob Weltman <robw@worldspot.com>
Subject: Re: Comments: draft-weltman-ldapv3-auth-response-02.txt
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Wed, 01 Nov 2000 10:24:03 -0800
Cc: ietf-ldapext@netscape.com
In-reply-to: <3A0053A8.91E3AFDB@worldspot.com>
References: <5.0.0.25.0.20001022092800.00a51160@router.boolean.net>

At 09:32 AM 11/1/00 -0800, Rob Weltman wrote:
>"Kurt D. Zeilenga" wrote:
>> However, as previously noted, a critical consideration for
>> this control is that it is not protected by security layers
>> negotiated by the bind operation.  As the primary purpose
>> of providing such information is for verify security
>> relations and/or managing information used to establish
>> security relations, it would likely be quite appropriate
>> to require or recommend the use of other security services
>> (such as TLS).
>> 
>> In fact, this consideration may be significant enough to
>> warrant redesign of the mechanism itself.  Use of an extended
>> operation may be more appropriate.
>
>  Using a control in conjunction with the bind request provides desirable atomicity that you don't achieve with an extended operation. The bind request produces a bind response containing the authorization identity.

This seems reasonable rational for using a bind control.  I suggest
you detail the above security consideration (control not protected
by services negotiate by the BIND).  Besides being a specific
consideration in regards to this specification, it (IIRC)
is not specifically addressed in RFC 2251 nor 2829.

Kurt

References:
- Re: Comments: draft-weltman-ldapv3-auth-response-02.txt
  - From: Rob Weltman <robw@worldspot.com>

Prev by Date: Re: Relationship between dupent and matched values
Next by Date: Make money with the BANK'S money.
Index(es):
- Chronological
- Thread