[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authz/Authc state upon start TLS



Steve Sonntag wrote:
> 
> > "Kurt D. Zeilenga" <kurt@boolean.net> 17-Nov-99 5:00:17 PM >
> > I am wondering what is the rational of 7.1.1 is:
> >       "Upon establishment of the TLS connection into the LDAP
> >       association, any previous established authentication and
> >       authorization identities MUST remain in force, including
> >       anonymous state."
> >
> > I would have thought it more appropriate to require:
> >       "Upon establishment of the TLS connection into the LDAP
> >       association, any previous established non-anonymous
> >       authentication and authorizations identitites MUST NOT
> >       remain in force.  The LDAP association must move to an is
> >       anonymous authentication and authorization state upon
> >       return successful completion of the Start TLS operation."
> >
> 
> I disagree

The authoration and authentication identities established before StartTLS,
in my opinion, should be ignored upon established of StartTLS as they
were neogiated using a less secure transport.

Howeever, my main concern is that Bind failures do not return the connection
to an anonymous state per RFC2251.  This is best demonstrated by viewing
Jeff's diagram (I believe it's up to date).

http://www.stanford.edu/~hodges/doc/StartTLSStateDiagram-8-May-1998.html

In particular,

  Failure of 3->6 bind should return to state 3 not 7.
  Failure of 7->6 bind should return to state 3 not 7.
  Failure of 7->10 bind should return to state 3 not 7.
  Failure of 5->5 bind should return to state 2.
  Failure of 4->4 bind should return to state 1.

In addition, I think the following are missing:
  "anonymous" bind from state 3 to 3 with failures to 3.
  simple or SASL (non-External) bind from 3 to 7 with failures to 3.
  "anonymous" bind from state 2 to 2 with failures to 2.
  simple or SASL (non-External) bind from 2 to 7 with failures to 2.