[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: LDAP Extension Style Guide, re interaction between controls
Date sent: Wed, 23 Aug 2000 09:58:11 -0700
To: d.w.chadwick@salford.ac.uk
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
> I suggest ignore both under the general principle of least
> astonishment. I suggest:
>
> An operation may be extended by one or more controls. If the
> combination of controls is unrecognized, undefined, or the
> server is otherwise unwilling to perform the operation as
> extended by the sequence of provided controls,
> if any of the controls are marked critical, the server
> SHALL return unavailableCriticalExtension,
I dont like this. Under the principle of "the server should do its best
to provide a useful service", it should obey the known critical
extension and ignore the non-critical ones.
This was the suggested text that I sent to PKIX list that
unfortunately you did not receive (see below)
" A validation engine that does not understand the interaction of a
non-critical extension with another extension (critical or non-critical),
may ignore the non-critical extension (even if it understands the
semantics of the extension in isolation to the others), and accept the
certificate (unless factors other than this extension cause it to be
rejected).
A validation engine that does not understand the interaction of two
critical extensions, must reject the certificate (even if it understands
the semantics of both extensions in isolation to each other)."
> otherwise the server SHALL perform the operation as if
> no controls were provided.
>
> That is, combined control semantics is all or nothing.
>
>
My messages directly to you are getting bounced as follows:
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its
recipients. The following address(es) failed:
Kurt@OpenLDAP.org:
SMTP error from remote mailer after MAIL
FROM:<d.w.chadwick@salford.ac.uk>: host mail.openldap.org
[204.152.186.51]: 550 5.0.0 Rejected - see
http://www.mail-abuse.org/rss/
This means that you did NOT get a copy about this topic that I sent
to the PKIX group. They are now following up on this, and are
proposing to produce a table of allowed extensions that can be
used in combinations. Is this something that LDAPExt should do?
David
P.s could the bouncing be due to my newly installed firewall that
ignores messages from unknown hosts (I am operating in stealth
mode). I noticed that I received an unidentified message
immediately after sending an email to you. Are you testing out
senders to see if they exist?
***************************************************
David Chadwick
IS Institute, University of Salford, Salford M5 4WT
Tel +44 161 295 5351 Fax +44 161 745 8169
Mobile +44 790 167 0359
Email D.W.Chadwick@salford.ac.uk
Home Page http://www.salford.ac.uk/its024/chadwick.htm
Understanding X.500 http://www.salford.ac.uk/its024/X500.htm
X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm
Entrust key validation string MLJ9-DU5T-HV8J
***************************************************