[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: C LDAP API: security considerations



Title: RE: C LDAP API: security considerations

> -----Original Message-----
> From: Harald Tveit Alvestrand [mailto:Harald@Alvestrand.no]
> Sent: Monday, November 15, 1999 1:49 PM
>
> One plausible way, modelled on IE5's "server zones":
>

You propose a fine mechanism.

I would note that it is _not_ implemented in IE. It is implemented _below_ the WinInet API, which is the layer that IE, and lots of other apps, use to do HTTP. I.e., it is the moral equivalent of the LDAP API.

>
> For servers in the "expensive" zone, the UI will pop up a
> dialog box before
> chasing a referral.

I would note that one can't rely on any client-side mechanism to prevent denial-of-service attacks on the server, if that was your intent. In particular, the "expensive" zone won't prevent malicious clients from bogging down LDAP servers with public key operations. For non-malicious clients, the 20ms or so of CPU it costs for the public key operations is not likely to be a big deal worth annoying the user about. (Whereas it is a big deal to limit servers to the 50-100 requests per second that such a CPU cost implies.)

Paul