> -----Original Message-----
> From: Mark Wahl [mailto:M.Wahl@INNOSOFT.COM]
> Sent: Tuesday, December 07, 1999 12:52 PM
> To: Kurt D. Zeilenga
> Cc: ietf-ldapext@netscape.com
> Subject: Re: AuthMeth issue summary
>
>
>
> One background item is that we are trying to provide interoperability
> between LDAP users of SASL in advance of all of the SASL
> framework being
> completed as PS RFCs. Some of your issues are more generic
> SASL discussion
> points. In authmeth-04 as part of a compromise between some
> of the groups of
> implementors / users of authorization IDs in LDAP, we
> provided a specification
> of authorization identities that allows for both DNs and
> arbitrary user
> identities. (RFC 2222 4. #5 states that a protocol defines
> how the authorization
> identity is to be interpreted). I would hope that there would
> be a SASL work
> item at some point to more fully define how authorization
> identities can be
> used that is independent of the underlying protocol: e.g. I
> want to have a
> common authorization identity for a Web site accessed via
> HTTP, an IMAP store,
> an LDAP directory, etc. Furthermore I would want to ensure
> that access control
> systems which use authorization identities in implementations
> of each of
> the underlying protocols can make interoperable decisions,
> such as how to
> - validate an authorization identity (e.g. identities with a
> expiry date)
> - compare two authorization identities for equality,
> - map different kinds of real-world identities to authorization ids,
> - express containment, wildcards, role<->occupant and group<->member
> relationships between authorization identities,
> - know whether an authorization identity is a capability and
> should be
> protected as such etc
I don't believe that most of this is the province of SASL.
1. Authenticate protocols authenticate identities. They don't care what the identities _are_.
2. Authorization mechanisms deal with issues like group membership, not authentication protocols.
3. Ditto with capabilities.
4. Ditto with account expiration.
Paul