[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Security Considerations indraft-weltman-ldapv3-auth-response-01.txt
Per previous messages: I originally proposed something more along the lines of what you have suggested - a control or extended operation which could be issued at any time to query the authentication identity of a connection. Mark Wahl had a strong argument at the time (a year ago) for why it would be better to have an unsolicited control returned on bind. I don't remember what that strong argument was... Maybe Mark can add to this discussion.
"Kurt D. Zeilenga" wrote:
> I suggest noting explicitly in Security Considerations that the
> control is not protected by the SASL privacy or integrity
> protection negotiated by the BIND process returning this control.
> A client requiring such protection must rely on independent
> services, such as TLS or IPSEC, or use some operation after
> negotiating SASL protection services.
That could be added, but note that the information being returned in the control is not a password, but just the identity (DN) of the authenticated connection.
>
>
> Because of this consideration, I can see the need for an extended
> operation to obtain authorization information post BIND.
>
> BTW, what's the intended track of this document? I suggest
> adding a note to the draft indicating your intent.
It depends a little on the interest among participants on this list.
Thanks,
Rob