[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: AuthzIDs or DNs, but not both

To: 'Bob Blakley' <blakley@dascom.com>, "Paul Leach (Exchange)" <paulle@Exchange.Microsoft.com>, "'Kurt D. Zeilenga'" <kurt@boolean.net>
Subject: RE: AuthzIDs or DNs, but not both
From: "Paul Leach (Exchange)" <paulle@Exchange.Microsoft.com>
Date: Mon, 15 Nov 1999 18:00:04 -0800
Cc: IETF LDAP Extensions WG <ietf-ldapext@netscape.com>
Resent-date: Mon, 15 Nov 1999 18:00:41 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"GDlxJB.A.FpC._qLM4"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Title: RE: AuthzIDs or DNs, but not both

I'm afraid you are barking up the wrong tree, Bob.

There is already a way to use a DN as the authzid.

Kurt wants to make DNs be the _only_ way.

I like the way it is currently, where it is permitted to use other forms for authzid. Having more than one way does not violate the previous agreement that a standard interoperable way needs to be specified. In fact, the agreement was that _both_ DN and non-DN forms should be allowed, IIRC.

There are, I believe, strong arguments that the mere existence of authzid is a layering violation. The authentication protocol is the owner of identification and of the forms of identities, not application protocols. And SASL has a way of handling authzid.

Paul

Prev by Date: RE: LAST CALL: Java API Docs
Next by Date: RE: C API: minor comments
Index(es):
- Chronological
- Thread