Lightweight Directory Access Protocol (LDAP) Proxied Authorization Control
draft-weltman-ldapv3-proxy-13
Discuss
Yes
(Ted Hardie)
No Objection
(Alex Zinin)
(Bill Fenner)
(David Kessens)
(Jon Peterson)
(Margaret Cullen)
(Scott Hollenbeck)
Abstain
Note: This ballot was opened for revision 13 and is now closed.
Ned Freed Former IESG member
Discuss
Discuss
[Treat as non-blocking comment]
(2004-02-12)
Unknown
This document says:
The criticality MUST be present and MUST be TRUE. This requirement
protects clients from submitting a request that is executed with an
unintended authorization identity.
Client requirements like this only protect clients that follow the rules.
A server requirement, on the other hand, protects against broken clients.
Given the likihood of security violations and screwy behavior if this
isn't enforced, I suggest changing this to read something like this:
Clients MUST include the criticality flag and MUST set it to TRUE.
Servers MUST reject any request containing a Proxy Authorization
Control without a criticality flag or with the flag set to FALSE
with a <?> error. These requirements protects clients from
submitting a request that is executed with an unintended
authorization identity.
I'm not wild about leaving the determination of proxy access rights
as an implementation detail, but given the situation surrounding
access control in LDAP in general I suppose we can do no better
at this time.
Nit: (date) in copyright field
Ted Hardie Former IESG member
Yes
Yes
()
Unknown
Alex Zinin Former IESG member
No Objection
No Objection
()
Unknown
Allison Mankin Former IESG member
No Objection
No Objection
(2004-03-17)
Unknown
My no-objection is based on a lack of time to review the preceding work on LDAP authentication and authorization that seems to be presumed here. It would be a good idea if there some delineation of these dependencies, even if brief. (I'm not requiring a change, must making the comment).
Bert Wijnen Former IESG member
No Objection
No Objection
(2004-03-18)
Unknown
Mmmm.. I see reference:
[KEYWORDS] Bradner, Scott, "Key Words for use in RFCs to Indicate
Requirement Levels", draft-bradner-key-words-03.txt, January,
1997.
I guess that should just be RFC2119 !!
Bill Fenner Former IESG member
No Objection
No Objection
()
Unknown
David Kessens Former IESG member
No Objection
No Objection
()
Unknown
Harald Alvestrand Former IESG member
No Objection
No Objection
(2004-03-17)
Unknown
Spencer Dawkins, Gen-ART reviewer, has made some editorial comments. To save space on the evaluation form, I've recorded these in the tracker log. They are also at <http://www.alvestrand.no/ietf/gen/reviews/draft-weltman-ldapv3-proxy-12-dawkins.txt>
Jon Peterson Former IESG member
No Objection
No Objection
()
Unknown
Margaret Cullen Former IESG member
No Objection
No Objection
()
Unknown
Russ Housley Former IESG member
(was Discuss)
No Objection
No Objection
(2004-02-17)
Unknown
No one is happy with the current situation regarding access control in LDAP. Leaving the determination of proxy access rights as an implementation detail is not going to improve the situation, and it will probably make it worse. However, I have no guidance to offer.
Scott Hollenbeck Former IESG member
No Objection
No Objection
()
Unknown
Steven Bellovin Former IESG member
(was Discuss)
Abstain
Abstain
(2004-03-18)
Unknown
I'm very confused by this document -- what, precisely, does it define? Is its whole purpose the definition of the OID? Proxies done properly are typically bound to the principal to whom some access right is being delegated, and often contain a set of restrictions as well. This seems to give carte blanche to anyone who has the magic string to do anything at all.