[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: protocol: new SASL layers
Additionally, it should be made clear in the technical specification
that SASL layers, once installed in a session, can be replaced with
new SASL layers (after appropriate SASL negotiation) but cannot be
de-installed. That is, completing DIGEST-MD5 authentication with
layers followed by a simple bind does not cause the layers to be
de-installed.
Kurt
At 02:17 PM 4/30/2003, Kurt D. Zeilenga wrote:
>I believe this text should be deleted.
>> If a SASL transfer encryption or integrity mechanism has been negotiated,
>> that mechanism does not support the changing of credentials from one
>> identity to another, then the client MUST instead establish a new
>> connection.
>
>Each SASL negotiation is, generally, independent of other SASL
>negotiations. If there were dependencies between multiple
>negotiations of a particular mechanism, the mechanism technical
>specification should detail how applications are to deal with
>them. LDAP should not require any special handling. And if
>an LDAP client had used such a mechanism, it would have the
>option of using another mechanism.
>
>Comments?
>
>Kurt