I'm
afraid you are barking up the wrong tree, Bob.
There
is already a way to use a DN as the authzid.
Kurt
wants to make DNs be the _only_ way.
I like
the way it is currently, where it is permitted to use other forms for authzid.
Having more than one way does not violate the previous
agreement that a standard interoperable way needs to be specified. In fact, the
agreement was that _both_ DN and non-DN forms should be allowed,
IIRC.
There
are, I believe, strong arguments that the mere existence of authzid is a
layering violation. The authentication protocol is the owner of identification
and of the forms of identities, not application protocols. And SASL has a way of
handling authzid.
Paul
|