[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: AuthzIDs or DNs, but not both



At 05:26 AM 11/16/99 -0500, Harald Tveit Alvestrand wrote:
>At 11:56 15.11.99 -0800, Kurt D. Zeilenga wrote:
>Not necessarily - the mapping may be done by:

Yes, my statement only applies to mappings which are not dependent
upon private information.   The mapping I suggest, actually, it's
more of an encoding, only requires that both client and server
implement a common specification for transporting arbirary user
provided authentication identitiy strings.

Authmeth/Start_TLS suggest that such strings be encoded by the
client as an AuthzID of the form:
	"u: string".

I suggest that such strings be encoded by the client as a DN
of the form:
	"uauthzid=string"

In both cases, the user provided authorization identity string
is transported to the server.

In both cases, the server may translate the provided
information into some other DN space.  (In the authzid case,
IMO, it SHOULD translate into some DN space).

The difference is that authzid requires adding a new on-the-wire
representation of authentication identifiers and only works
with operations which have been extended to support authzids.
The uauthzid, becauses it utilizes the existing on-the-wire
representation, may be more widely used.

Regards, Kurt

----
Kurt D. Zeilenga		<kurt@boolean.net>
Net Boolean Incorporated	<http://www.boolean.net/>