[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: protocol: closing SASL upon Unbind

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: protocol: closing SASL upon Unbind
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Tue, 7 Dec 2004 17:43:37 +0100
Cc: ietf-ldapbis@OpenLDAP.org
In-reply-to: <6.1.2.0.0.20041207080704.0307cfd0@127.0.0.1>
References: <hbf.20041206kplu@bombur.uio.no> <6.1.2.0.0.20041206141714.031602d8@127.0.0.1> <hbf.20041206k6gs@bombur.uio.no> <6.1.2.0.0.20041206144418.03090598@127.0.0.1> <hbf.20041207smm3@bombur.uio.no> <6.1.2.0.0.20041207080704.0307cfd0@127.0.0.1>

Kurt D. Zeilenga writes:
>At 08:01 AM 12/7/2004, Hallvard B Furuseth wrote:
>> SASL also doesn't say in which order SASL and TLS layers must be
>> removed.  Is there any reason LDAP needs to specify this?
>
> LDAP specifies that SASL is layered above TLS.  During graceful
> closure, one shouldn't teardown a lower layer until the above
> layers have been torn down.

Well, it seems like the obvious thing to do if SASL did define graceful
closure of a layer.  OTOH, LDAP can install a TLS and a and SASL layer
in any order, and supports removing TLS and keeping the connection
(including SASL).  And if one has a SASL implementation where removing
the layer is tied to closing the connection, removing TLS in the middle
of that may be nontrivial.

So - if someone removes the TLS layer before the SASL layer, what is the
actual problem with this?  Both client and server knows that Unbind has
been sent, so I don't see any security problem, at least.

>> Anyway, unless the above is indeed needed, or we will wait for this to
>> be discussed on the SASL list, I suggest to be a bit more vague:
>>
>>   cease exchanges at the LDAP message layer, tear down any SASL and TLS
>>   layers as appropriate, and tear down the transport connection.
>
> I prefer to "and then" conjunctions between each (as I suggested) as
> this indicates that the implementation should do a graceful top-down
> closure.

And I omitted that and changed it from a numbed list to a sentence for
the opposite reason:-) If we are to be more specific, I'd prefer to wait
to see if the SASL WG defines the feature of removing a SASL layer
before closing the connection.

-- 
Hallvard

Follow-Ups:
- Re: protocol: closing SASL upon Unbind
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- protocol: closing SASL upon Unbind
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: protocol: closing SASL upon Unbind
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: protocol: closing SASL upon Unbind
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: protocol: closing SASL upon Unbind
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: protocol: closing SASL upon Unbind
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: protocol: closing SASL upon Unbind
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: protocol: closing SASL upon Unbind
Next by Date: Re: protocol: closing SASL upon Unbind
Index(es):
- Chronological
- Thread