[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: AuthzIDs or DNs, but not both
At 01:21 PM 11/15/99 -0500, you wrote:
>So then should the draft contain an additional paragraph to assure this
>mapping?
I suggest it have a separate draft to define a one-to-one mapping
between arbitrary authentication identities and their DN representation.
Basically, I propose that when a user enters "kdz" as an authorization
string that the client uses the DN "authzid=kdz" to bind as user
"kdz". This can be used with all forms of bind, but more importantly,
it can be used where ever a DN is allowed. It provides the desired
capability of allowing users to provide arbitrary string as an
authorization identity without introducing another on the wire
representation of identities.
I, then, suggest we amend all specifications require use of authzid
to instead use DNs and make note that these DNs may represent
arbitrary authentication identities per the one-to-one mapping
document.
Kurt