[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Issues with current authmeth draft.



Roger,

I am not convinced at this stage that the text under discussion needs to be revised. We also have the problem that "clarification" of this text could lead to backward compatibility problems with pre-LDAPbis systems as we are potentially changing assumption on which the remaining text has, in the past, been interpreted. Particularly given that the text from the [authmeth] introduction has re-iterated the same points made in RFC2829 *1. Introduction*.

However, that said, I was referencing the following:

The [authmeth] text in *2. Introduction* discusses the security considerations for LDAP, identifying a set of basic threats and then the security mechanisms proposed to minimise these risks, including use of SASL and TLS.

The [authmeth] text in *3. Rationale for LDAPv3 Security Mechanisms* discusses the desirability for identities to take the form of distinguished names and authentication data to be stored in the directory. It also suggests support for non-LDAPDN authorization identities should be supported for backward-compatibility with non-LDAP-based authentication services.

- Mark.

Roger Harrison wrote:
Mark,
Would you please provide a pointer to the text describing the "reasons... for introducing SASL mechanisms..." that you are referring to so that I can make appropriate changes.
Thanks,
Roger


>>> "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> 5/12/2003 7:14:39 PM >>>
At 05:08 PM 5/12/2003, Mark Ennis wrote:
>This seems counter to the reasons in RFC2829 and [authmeth] for introducing SASL mechanisms, in particular, SASL DIGEST-MD5.


Well then we should clarify the rationale.

Kurt