[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: AuthzIDs or DNs, but not both



Title: RE: AuthzIDs or DNs, but not both
I'm afraid you are barking up the wrong tree, Bob.
 
There is already a way to use a DN as the authzid.
 
Kurt wants to make DNs be the _only_ way.
 
I like the way it is currently, where it is permitted to use other forms for authzid. Having more than one way does not violate the previous agreement that a standard interoperable way needs to be specified. In fact, the agreement was that _both_ DN and non-DN forms should be allowed, IIRC.
 
There are, I believe, strong arguments that the mere existence of authzid is a layering violation. The authentication protocol is the owner of identification and of the forms of identities, not application protocols. And SASL has a way of handling authzid.
 
Paul