[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Applicability Stmt (AS) rescinding "IESG Note" and defining "LDAPv3"

To: Jeff.Hodges@stanford.edu
Subject: Re: Applicability Stmt (AS) rescinding "IESG Note" and defining "LDAPv3"
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Fri, 07 Jul 2000 13:21:23 -0700
Cc: IETF ldapext WG <ietf-ldapext@netscape.com>
In-reply-to: <200007070623.XAA17170@breakaway.Stanford.EDU>
References: <Your message of Thu, 29 Jun 2000 16:06:31 -0700>

At 11:23 PM 7/6/00 -0700, Jeff.Hodges@stanford.edu wrote:
>> If one were to rescind the IESG notice, I would think
>> it appropriate to strength the Security Considerations
>> of the specifications.  Something like:
>>    Update functionality SHOULD be restricted to securely
>>    authenticated clients.

Note that RFC2829 nor RFC2830 adds a requirement similar
to the above statement.  They only "encourage" servers to prevent
update by anonymous users.  This, IMO, is insufficient.

Recall that the IESG notice states:
        "Update access requires secure authentication"

This could (though not my preferred solution) be addressed in the
Applicability Statement by adding:
   "Implementations of LDAPv3 SHOULD restrict update functionality
   described in RFC2251 to clients which have authenticated using
   a secure mechanism as described in RFC 2829."

>RFC2829's explicit purpose is to provide exactly the enhancement to 
>LDAPv3-as-a-whole's "Security Considerations" that you're calling for.

Where does it provide an explicit requirement statement which restricts,
with SHOULD or MUST, update functionality to securely authenticated
clients.  This is what I am calling for.

>It seems to us that the present-day artifact that is LDAPv3 is still somewhat 
>fuzzily defined in the absence of an AS saying these simple, specific things.

I agree that LDAPv3 is still "somewhat fuzzy" and that an applicability
statement is needed.

>What it does mean is that we'll be providing an unambiguous definition, 
>including security considerations, of what we mean ~today~ when we 
>-- or any of the many implementors & vendors out there -- say "LDAPv3".

I find that the AS creates an unambiguous definition, in particular, in
regards to security considerations.   I would much rather publish an
AS which states that LDAPv3 'requires' implementation of the listed
RFCs WITHOUT rescinding the notice or otherwise updating the
specifications.  I believe rescinding of the notice is best left to later
revision of the technical specifications.

References:
- Re: Applicability Stmt (AS) rescinding "IESG Note" and defining "LDAPv3"
  - From: Jeff.Hodges@stanford.edu

Prev by Date: FW: ADM - IPP Working Group Last Call for: "Internet Printing Pr otocol (IPP): LDAP Schema for Printer Services" <draft-ietf-ipp-ldap-prin ter-schema-02.txt>
Next by Date: Parent of 15 year old finds $71,000 in closet...
Index(es):
- Chronological
- Thread