Lightweight Directory Access Protocol (LDAP) Proxied Authorization Control
draft-weltman-ldapv3-proxy-13
Revision differences
Document history
| Date | Rev. | By | Action |
|---|---|---|---|
|
2012-08-22
|
13 | (System) | post-migration administrative database adjustment to the Abstain position for Steven Bellovin |
|
2012-08-22
|
13 | (System) | post-migration administrative database adjustment to the No Objection position for Russ Housley |
|
2005-11-05
|
13 | Amy Vezza | State Changes to RFC Ed Queue from Approved-announcement sent by Amy Vezza |
|
2005-10-31
|
13 | Amy Vezza | IESG state changed to Approved-announcement sent |
|
2005-10-31
|
13 | Amy Vezza | IESG has approved the document |
|
2005-10-31
|
13 | Amy Vezza | Closed "Approve" ballot |
|
2005-10-31
|
13 | Ted Hardie | State Changes to Approved-announcement to be sent from IESG Evaluation::AD Followup by Ted Hardie |
|
2005-10-21
|
13 | Russ Housley | [Ballot Position Update] Position for Russ Housley has been changed to No Objection from Discuss by Russ Housley |
|
2005-09-14
|
13 | Russ Housley | [Ballot discuss] This document says: > > The criticality MUST be present and MUST be TRUE. This requirement > protects clients from … [Ballot discuss] This document says: > > The criticality MUST be present and MUST be TRUE. This requirement > protects clients from submitting a request that is executed with an > unintended authorization identity. > > Clients MUST include the criticality flag and MUST set it to TRUE. > Servers MUST reject any request containing a Proxy Authorization > Control without a criticality flag or with the flag set to FALSE with > a protocolError error. These requirements protect clients from > submitting a request that is executed with an unintended > authorization identity. > I think the author intended to delete the first paragraph when the second one was added to resolve the concerns raised bu Ned Freed. |
|
2005-06-09
|
13 | (System) | Sub state has been changed to AD Follow up from New Id Needed |
|
2005-06-09
|
13 | (System) | New version available: draft-weltman-ldapv3-proxy-13.txt |
|
2004-11-11
|
13 | Ted Hardie | [Note]: 'Kurt to follow up with auth and get revised text; he will join as co-author by Jan 1. 2005' added by Ted Hardie |
|
2004-11-11
|
13 | Ted Hardie | [Note]: 'Kurt to follow up with auth and get revised text; he will join as co-author by Jan 1. 2005 if no revision seen by … [Note]: 'Kurt to follow up with auth and get revised text; he will join as co-author by Jan 1. 2005 if no revision seen by them.' added by Ted Hardie |
|
2004-11-11
|
13 | Ted Hardie | [Note]: 'Kurt to follow up with auth and get revised text; he will join as co-author by Jan 1. 2005' added by Ted Hardie |
|
2004-03-19
|
13 | Amy Vezza | State Changes to IESG Evaluation::Revised ID Needed from IESG Evaluation - Defer by Amy Vezza |
|
2004-03-18
|
13 | Steven Bellovin | [Ballot Position Update] Position for Steve Bellovin has been changed to Abstain from Discuss by Steve Bellovin |
|
2004-03-18
|
13 | Steven Bellovin | [Ballot comment] I'm very confused by this document -- what, precisely, does it define? Is its whole purpose the definition of the OID? Proxies done … [Ballot comment] I'm very confused by this document -- what, precisely, does it define? Is its whole purpose the definition of the OID? Proxies done properly are typically bound to the principal to whom some access right is being delegated, and often contain a set of restrictions as well. This seems to give carte blanche to anyone who has the magic string to do anything at all. |
|
2004-03-18
|
13 | Bill Fenner | [Ballot Position Update] New position, No Objection, has been recorded for Bill Fenner by Bill Fenner |
|
2004-03-18
|
13 | Margaret Cullen | [Ballot Position Update] New position, No Objection, has been recorded for Margaret Wasserman by Margaret Wasserman |
|
2004-03-18
|
13 | Bert Wijnen | [Ballot Position Update] Position for Bert Wijnen has been changed to No Objection from Undefined by Bert Wijnen |
|
2004-03-18
|
13 | Bert Wijnen | [Ballot comment] Mmmm.. I see reference: [KEYWORDS] Bradner, Scott, "Key Words for use in RFCs to Indicate Requirement Levels", draft-bradner-key-words-03.txt … [Ballot comment] Mmmm.. I see reference: [KEYWORDS] Bradner, Scott, "Key Words for use in RFCs to Indicate Requirement Levels", draft-bradner-key-words-03.txt, January, 1997. I guess that should just be RFC2119 !! |
|
2004-03-18
|
13 | Bert Wijnen | [Ballot Position Update] New position, Undefined, has been recorded for Bert Wijnen by Bert Wijnen |
|
2004-03-18
|
13 | Jon Peterson | [Ballot Position Update] New position, No Objection, has been recorded for Jon Peterson by Jon Peterson |
|
2004-03-17
|
13 | Allison Mankin | [Ballot comment] My no-objection is based on a lack of time to review the preceding work on LDAP authentication and authorization that seems to be … [Ballot comment] My no-objection is based on a lack of time to review the preceding work on LDAP authentication and authorization that seems to be presumed here. It would be a good idea if there some delineation of these dependencies, even if brief. (I'm not requiring a change, must making the comment). |
|
2004-03-17
|
13 | Allison Mankin | [Ballot Position Update] New position, No Objection, has been recorded for Allison Mankin by Allison Mankin |
|
2004-03-17
|
13 | David Kessens | [Ballot Position Update] New position, No Objection, has been recorded for David Kessens by David Kessens |
|
2004-03-17
|
13 | Harald Alvestrand | [Ballot comment] Spencer Dawkins, Gen-ART reviewer, has made some editorial comments. To save space on the evaluation form, I've recorded these in the tracker log. … [Ballot comment] Spencer Dawkins, Gen-ART reviewer, has made some editorial comments. To save space on the evaluation form, I've recorded these in the tracker log. They are also at |
|
2004-03-17
|
13 | Scott Hollenbeck | [Ballot Position Update] New position, No Objection, has been recorded for Scott Hollenbeck by Scott Hollenbeck |
|
2004-03-13
|
13 | Harald Alvestrand | Comments from Spencer Dawkins, Gen-ART reviewer 3. Proxy Authorization Control A single Proxy Authorization Control may be included in any search, compare, modify, add, … Comments from Spencer Dawkins, Gen-ART reviewer 3. Proxy Authorization Control A single Proxy Authorization Control may be included in any search, compare, modify, add, delete, modify DN or extended operation request message with the exception of any extension that causes a change in authentication, authorization, or data confidentiality [RFC 2829], such as Start TLS [LDAPTLS] as part of the controls field of the LDAPMessage, as defined in [RFC 2251]. Spencer: I know it's an editorial nit, but "as part of" completes a phrase that left off SIX COMMAS earlier. Suggest alternative text as "A single Proxy Authorization Control may be included in any search, compare, modify, add, delete, modify DN or extended operation request message as part of the controls field of the LDAPMessage, as defined in [RFC 2251], with the exception of any extension that causes a change in authentication, authorization, or data confidentiality [RFC 2829], such as Start TLS [LDAPTLS]." ... The controlValue SHALL be present and contain either an authzId [AUTH] representing the authorization identity for the request or Spencer: "or SHALL be empty..." empty if an anonymous association is to be used. Spencer: "anonymous authorization identity"? ... If the requested authorization identity is recognized by the server, and the client is authorized to adopt the requested authorization identity, the request will be executed as if submitted by the proxy authorization identity, otherwise the result code TBD is returned. Spencer: I'm new to the world of IANA LDAP result codes, but wouldn't you expect to see a proposed name for this result code in this document? Also in IANA Considerations section later on... [Note to the IESG/IANA/RFC Editor: the value TBD is to be replaced with an IANA assigned LDAP Result Code (see RFC 3383 section 3.6] ... 5. Security Considerations ... Note that the server is responsible for determining if a proxy authorization request is to be honored. "Anonymous" users SHOULD NOT be allowed to assume the identity of others. Spencer: It seems like this restriction should appear a lot earlier in the specification - it's an implementation consideration, not ("just") a security consideration... ... 8. Normative References [KEYWORDS] Bradner, Scott, "Key Words for use in RFCs to Indicate Requirement Levels", draft-bradner-key-words-03.txt, January, 1997. Spencer: Scott says this wins the plaid bunny award for most outdated reference in an ID this year - should be "RFC 2119", right? |
|
2004-03-13
|
13 | Harald Alvestrand | [Ballot comment] Spencer Dawkins, Gen-ART reviewer, has made some editorial comments. To save space on the evaluation form, I've recorded these in the tracker log. |
|
2004-03-13
|
13 | Harald Alvestrand | [Ballot Position Update] New position, No Objection, has been recorded for Harald Alvestrand by Harald Alvestrand |
|
2004-02-20
|
13 | (System) | Removed from agenda for telechat - 2004-02-19 |
|
2004-02-18
|
13 | Harald Alvestrand | State Changes to IESG Evaluation - Defer from IESG Evaluation by Harald Alvestrand |
|
2004-02-18
|
13 | Steven Bellovin | [Ballot discuss] I'm very confused by this document -- what, precisely, does it define? Is its whole purpose the definition of the OID? Proxies done … [Ballot discuss] I'm very confused by this document -- what, precisely, does it define? Is its whole purpose the definition of the OID? Proxies done properly are typically bound to the principal to whom some access right is being delegated, and often contain a set of restrictions as well. This seems to give carte blanche to anyone who has the magic string to do anything at all. The security considerations section doesn't even mandate that this magic string be kept confidential -- and its more powerful than plaintext passwords, which we bar. |
|
2004-02-18
|
13 | Steven Bellovin | [Ballot Position Update] New position, Discuss, has been recorded for Steve Bellovin by Steve Bellovin |
|
2004-02-18
|
13 | Alex Zinin | [Ballot Position Update] New position, No Objection, has been recorded for Alex Zinin by Alex Zinin |
|
2004-02-17
|
13 | Russ Housley | [Ballot discuss] This document says: > > The criticality MUST be present and MUST be TRUE. This requirement > protects clients from … [Ballot discuss] This document says: > > The criticality MUST be present and MUST be TRUE. This requirement > protects clients from submitting a request that is executed with an > unintended authorization identity. > I agree with all of the comments made by Ned Freed. Specifying the behavior of both the client and the server is very important. Ned suggests the following: > > Clients MUST include the criticality flag and MUST set it to TRUE. > Servers MUST reject any request containing a Proxy Authorization > Control without a criticality flag or with the flag set to FALSE > with a {?} error. These requirements protects clients from > submitting a request that is executed with an unintended > authorization identity. |
|
2004-02-17
|
13 | Russ Housley | [Ballot comment] No one is happy with the current situation regarding access control in LDAP. Leaving the determination of proxy access rights as an … [Ballot comment] No one is happy with the current situation regarding access control in LDAP. Leaving the determination of proxy access rights as an implementation detail is not going to improve the situation, and it will probably make it worse. However, I have no guidance to offer. |
|
2004-02-17
|
13 | Russ Housley | [Ballot Position Update] New position, Discuss, has been recorded for Russ Housley by Russ Housley |
|
2004-02-12
|
13 | Ned Freed | [Ballot discuss] This document says: The criticality MUST be present and MUST be TRUE. This requirement protects clients from submitting a request that … [Ballot discuss] This document says: The criticality MUST be present and MUST be TRUE. This requirement protects clients from submitting a request that is executed with an unintended authorization identity. Client requirements like this only protect clients that follow the rules. A server requirement, on the other hand, protects against broken clients. Given the likihood of security violations and screwy behavior if this isn't enforced, I suggest changing this to read something like this: Clients MUST include the criticality flag and MUST set it to TRUE. Servers MUST reject any request containing a Proxy Authorization Control without a criticality flag or with the flag set to FALSE with a error. These requirements protects clients from submitting a request that is executed with an unintended authorization identity. I'm not wild about leaving the determination of proxy access rights as an implementation detail, but given the situation surrounding access control in LDAP in general I suppose we can do no better at this time. Nit: (date) in copyright field |
|
2004-02-12
|
13 | Ned Freed | [Ballot discuss] This document says: The criticality MUST be present and MUST be TRUE. This requirement protects clients from submitting a request that … [Ballot discuss] This document says: The criticality MUST be present and MUST be TRUE. This requirement protects clients from submitting a request that is executed with an unintended authorization identity. Client requirements like this only protect clients that follow the rules. A server requirement, on the other hand, protects against broken clients. Given the likihood of security violations and screwy behavior if this isn't enforced, I suggest changing this to read something like this: Clients MUST include the criticality flag and MUST set it to TRUE. Servers MUST reject any request containing a Proxy Authorization Control without a criticality flag or with the flag set to FALSE with a error. These requirements protects clients from submitting a request that is executed with an unintended authorization identity. I'm not wild about leaving the determination of proxy access rights as an implementation detail, but given the situation surrounding access control in LDAP in general I suppose we can do no better at this time. Nit: (date) in copyright field |
|
2004-02-12
|
13 | Ted Hardie | State Changes to IESG Evaluation from Waiting for Writeup by Ted Hardie |
|
2004-02-12
|
13 | Ned Freed | [Ballot Position Update] New position, Discuss, has been recorded for Ned Freed by Ned Freed |
|
2004-02-12
|
13 | Ted Hardie | Placed on agenda for telechat - 2004-02-19 by Ted Hardie |
|
2004-02-12
|
13 | Ted Hardie | [Ballot Position Update] New position, Yes, has been recorded for Ted Hardie |
|
2004-02-12
|
13 | Ted Hardie | Ballot has been issued by Ted Hardie |
|
2004-02-12
|
13 | Ted Hardie | Created "Approve" ballot |
|
2004-01-30
|
13 | Harald Alvestrand | State Changes to Waiting for Writeup from In Last Call by Harald Alvestrand |
|
2004-01-30
|
13 | Harald Alvestrand | This one seems to have gotten stuck in Last Call state. Last Call was supposed to have ended on 2003-09-09. |
|
2003-08-12
|
13 | Michael Lee | Last call sent |
|
2003-08-12
|
13 | Michael Lee | State Changes to In Last Call from Publication Requested by Michael Lee |
|
2003-08-11
|
13 | Ted Hardie | State Changes to Publication Requested from Last Call Requested by Ted Hardie |
|
2003-08-11
|
13 | Ted Hardie | State Changes to Last Call Requested from Expert Review by Ted Hardie |
|
2003-08-11
|
13 | Ted Hardie | Last Call was requested by Ted Hardie |
|
2003-08-11
|
13 | (System) | Ballot writeup text was added |
|
2003-08-11
|
13 | (System) | Last call text was added |
|
2003-08-11
|
13 | (System) | Ballot approval text was added |
|
2003-04-23
|
12 | (System) | New version available: draft-weltman-ldapv3-proxy-12.txt |
|
2003-04-08
|
13 | Ted Hardie | Sent to ldap directorate for review April 8, 2003 |
|
2003-04-08
|
13 | Ted Hardie | State Changes to Expert Review from Publication Requested by Hardie, Ted |
|
2003-04-08
|
13 | Ted Hardie | Intended Status has been changed to Proposed Standard from Request |
|
2003-03-24
|
13 | Ted Hardie | Shepherding AD has been changed to Hardie, Ted from Faltstrom, Patrik |
|
2002-05-08
|
13 | Jacqueline Hargest | Assigned to has been changed to paf from members by jhargest |
|
2002-05-03
|
11 | (System) | New version available: draft-weltman-ldapv3-proxy-11.txt |
|
2002-04-29
|
10 | (System) | New version available: draft-weltman-ldapv3-proxy-10.txt |
|
2001-12-17
|
09 | (System) | New version available: draft-weltman-ldapv3-proxy-09.txt |
|
2001-11-12
|
08 | (System) | New version available: draft-weltman-ldapv3-proxy-08.txt |
|
2001-10-16
|
07 | (System) | New version available: draft-weltman-ldapv3-proxy-07.txt |
|
2000-11-06
|
06 | (System) | New version available: draft-weltman-ldapv3-proxy-06.txt |
|
2000-10-16
|
05 | (System) | New version available: draft-weltman-ldapv3-proxy-05.txt |
|
2000-02-07
|
04 | (System) | New version available: draft-weltman-ldapv3-proxy-04.txt |
|
1999-04-26
|
03 | (System) | New version available: draft-weltman-ldapv3-proxy-03.txt |
|
1998-10-26
|
02 | (System) | New version available: draft-weltman-ldapv3-proxy-02.txt |
|
1998-08-14
|
01 | (System) | New version available: draft-weltman-ldapv3-proxy-01.txt |
|
1998-04-27
|
00 | (System) | New version available: draft-weltman-ldapv3-proxy-00.txt |