[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authz/Authc state upon start TLS



At 10:48 AM 1/1/00 -0800, Jeff Hodges wrote:
>> Third, per RFC2251, bind failures should cause connection to be
>> treated as "anonymous"
>I disagree. Perhaps you didn't read the explanation & rationale about this in my msg in
>this thread dated "Tue, 07 Dec 1999 13:40:47 -0800"?

I did read it and just reread it.  I still don't see an overriding
reason for treating bind failures when TLS is established any differently
than any other bind failure.  Maybe you can elaborate on:
	"ldapv3-tls-05 is more correct from thinking about how security works"
	
I believe SASL/EXTERNAL should be just like any other SASL mechanism.
The SASL bind either passes or it fails, and if it fails the LDAP connection
should be treated as "anonymous".  I do believe it unwise to special
case any bind failure in this regard.

My rational is that the security specifications need to be simple such
as to reduce the likelyhood that they are flawed or that their implementations
(or deployments of implementations) are flawed.














----
Kurt D. Zeilenga		<kurt@boolean.net>
Net Boolean Incorporated	<http://www.boolean.net/>