[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Authlevel in LDAP ACI
At 08:45 PM 4/18/00 -0500, Ellen Stokes wrote:
>Here's a sketchy BNF for incorporating authentication strength
>and mechanism per today's discussion.
>
>< ldapACI > ::= < acl entry syntax >
>
>< acl entry syntax > ::= <familyOID> + '#' + <scope > + '#'
> + < rights > + '#' + < dnType >
> + < authLevel > + '#' + < subjectDn >
>
>< authLevel > ::= "none" | "simple" | <strong>
>
>< strong > ::= "strong" | < SASLauth >
>
>< SASLauth > ::= "SASL" + ':' + < SASLmech >
>
>< SASLmech > ::= "EXTERNAL" | "DIGEST-MD5" | "KERBEROS-ID" |< printableString
KERBEROS-ID is not a SASL mechanism, it's a form of authorization
(access) identity.
>
>Assumption here is that anything other than none or simple is strong and
>strong can
>be specified as strong (any other mechanism) or an explicit mechanism.
This use of "strong" is misleading. Simple authentication when
solid privacy and integrity are in place (ala TLS, IPSEC) is
actually stronger than DIGEST-MD5 without such protections.