[Date Prev][Date Next] [Chronological] [Thread] [Top]

Issues with current authmeth draft.

Following are some issues I encountered with the current authmeth draft (draft-ietf-ldapbis-authmeth-05.txt).

1) The phrase "inside an OCTET STRING wrapper" is ambiguous.

This phrase is from a sentence in the fourth paragraph of section 4.3:
"The credentials field contains the arbitrary data used for authentication, inside an OCTET STRING wrapper." It appears to be transcribed from RFC2251.

This phrase could arguably be interpreted to mean either:
i) The SASL credentials are arbitrary data stored in the SaslCrentials.credentials OCTET STRING field, or
ii) The SASL credentials are arbitrary data in a BER encoded OCTET STRING in the SaslCredentials.credentials OCTET STRING field, i.e. the SaslCredentials.credentials contains BER.

Although I interpret the intention to be i), I find the wording ambiguous and think it should be fixed, probably by simply removing this phrase from the sentence.

2) DIGEST-MD5 authentication identity

There does not appear to be a clear statement as to the form of the authentication identity (as opposed to authorization identity) to be provided in the username-value of the SASL credentials for DIGEST-MD5 (or other mechanisms). I have seen examples of this value being an arbitrary identifier such as a Unix system might use, a LDAPDN and an *authzid*-style production.

3) Section 4.3.3 *Other SASL Mechanisms*

This section states "Other SASL mechanisms may be used with LDAP, but their usage is not considered in this document.", however, the DIGEST-MD5 mechanism has not been referenced in section 4.3 and yet, contrary to this statement, is considered later in the document.

- Mark Ennis.