[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: "connections" (Was: protocol-22 comments)



I like these terms thought I don't think I need them all. I'll try a pass at replacing current terminology and report back with what happens.

>>> "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> 4/16/04 8:15:34 PM >>>
I prefer layer over connection for TLS, because starting
and stopping TLS does not close either LDAP "connection"
or transport (TCP) "connection". I also prefer to say
that a TLS closure event causes the layer to be deinstalled
as it reflects better that the LDAP and transport connections
are still established.


At 05:58 PM 4/16/2004, Jim Sermersheim wrote:
>Currently (from section 2):
>The terms "connection" and "LDAP connection" both refer to the
>underlying transport protocol connection between two protocol peers.
>The term "TLS connection" refers to a [TLS]-protected LDAP connection.
>The terms "association" and "LDAP association" both refer to the
>association of the LDAP connection and its current authentication and
>authorization state.

What I really disliked in the current document is
defining TLS connection to mean a TLS-protected LDAP
connection but then saying that StartTLS establish
TLS on a LDAP connection. It would be okay to say
StartTLS establishes TLS protection for a LDAP connection.

>I propose we:
>/s/LDAP connection/connection
>/s/TLS connection/TLS layer (yes I know layer is redundant)
>/s/association/LDAP association

I suggest:
"stream" to refer to the underlying transport layer.
"connection" to the LDAP layer (where LDAP PDUs are exchanged)
(and used without regard to whether protective-layers are
or are not in place).
"TLS layer" to refer to layer inserted between the stream
and the connection that utilizes TLS to protect
exchanged LDAP PDUs.
"SASL layer" to refer to layer inserted between the stream
and the connection that utilizes SASL to protect
exchanged LDAP PDUs.
"protective layer" to refer to either a TLS or SASL layer
"protected connection" to refer to a connection protected
by a protective layer
"TLS-protected connection" to refer to a connection protected
by a TLS-layer
"SASL-protected connection" to refer to a connection protected
by a SASL-layer
"unprotected connection" to refer to a connection not
protected by a protective layer

(LDAP) association refers to the authentication and authorization
state (generally of the client at the server) of a connection.

I suggest also adding a picture.

+------------+ |
| connection | |
+------------+ > LDAP PDU |
+------------+ < data |
| SASL layer | |
+------------+ > SASL-protected data |
+------------+ < data |
| TLS layer | |
+------------+ > TLS-protected data | Application
+------------+ < data +------------
| stream | | Transport
+------------+

Note that I don't include the association in this picture as
that refers to a state.

> The terms "association" and "LDAP association" both refer to the
> association of the LDAP connection and its current authentication and
> authorization state.


>This, at least is how I see it. There is the physical connection
>(connection) and the LDAP association. Sometimes there is a TLS layer
>protecting the LDAP messages on the connection.
>
>Are these terms sufficient?
>
>Jim
>
>>>> "Kurt D. Zeilenga" < Kurt@OpenLDAP.org > 3/12/04 11:03:49 AM >>>
>I've been thinking a bit more about the different uses of
>"connections"
>in the document. It seems that "LDAP connection" is used both to
>refer to the underlying transport connection as well as the LDAP-level
>connection (e.g., the layer in which LDAP messages are exchanged),
>and that this is causing some confusion in the specification.
>
>Kurt