|
I like the notion of bringing this to the reader's attention, but I dislike prescribing specific actions. How about something more like:
The matchedDN and diagnosticMessage fields and some result codes (such as insufficientAccessRights, attributeOrValueExists and entryAlreadyExists) may disclose the presence of specific data in the directory. Access controls coupled with restrictive policies can be used to protect against such disclosure.
Jim
>>> Hallvard B Furuseth <h.b.furuseth@usit.uio.no> 2/9/04 2:14:31 PM >>> A Security Consideration like this might be a good idea: The matchedDN and diagnosticMessage fields and some result codes (such as insufficientAccessRights, attributeOrValueExists and entryAlreadyExists) may reveal the presence of specific data in the directory. If access controls prohibit this, the server must take care to instead act as if the data are not present, or when that is not possible, to return a less informative result code. -- Hallvard |