[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: C LDAP API: security considerations
Suggest one plausible way in which it is possible to specify policy to an
application to do anything with the flexibility you insist must be present.
I.e., suppose the application is informed that it has been given a referral.
When and how will it decide to chase it, and when not?
Applications have no idea how to answer the above question. Neither do
users. If there were to be a mechanism to answer that question, and a way to
specify the policy for answering it, they should be _below_ the level of the
LDAP API, so that use of the mechanism and enforcement of the policy would
_not_ depend on all the applications doing the right thing, since experience
suggests that will never happen.
> -----Original Message-----
> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.Org]
> Sent: Saturday, November 13, 1999 12:37 PM
> To: ietf-ldapext@netscape.com
> Subject: Re: C LDAP API: security considerations
>
>
> After some additional thought on this matter, I believe it
> inappropriate of API implementations to chase referrals without
> application interaction. An API implementations should
> not assume the application's trust in the server providing
> the knowledge information extends to the referenced server.
Why? If the application trusts the first server to give correct answers, why
shouldn't it trust the servers to which it gives referrals?
>
> A client application should be in direct control of which
> servers it does or doesn't connect to. A client application
> should be in direct control of which request are submitted
> to servers. A client application should be in direct control
> of which information is provided with each request.
>
> I suggest that the default behavior of API implementations
> should be to NOT chase referrals. I suggest we extend
> the API specification to provide a mechanism to allow
> applications that wish to progress the operation to do so
> under the application's control. If the application fails
> to utilize this mechanism, the API implementation should
> not chase the referral.
I suggest that the default should be to chase referrals, and that an
application which is worried about chasing referrals should have a way to
opt out by providing a mechanism such as you suggest.
If referral chasing is not easy for applications, it won't usually be done.
If referral chasing is not usually done, then the freedom of a server to
partition its NC onto several servers with referrals to bridge them will be
eliminated.
>
> I also suggest that we then add a security consideration
> to the C LDAP API I-D that encourages applications to
> interact with users to determine if chasing is appropriate.
Nonsense. Users always say "yes".
Paul