Lightweight Directory Access Protocol (LDAP) Turn Operation
draft-zeilenga-ldap-turn-03
Note: This ballot was opened for revision 03 and is now closed.
Sam Hartman Former IESG member
(was Discuss)
Yes
Yes
(2005-07-04)
Unknown
I'm concerned about implementation complexity as it relates to SASL security layers. I don't think most SASL implementations support the idea of another SASL association being used in the middle of an existing association, particularly when that association is in the opposite direction. So as a practical matter, implementations will need to use two SASL contexts. This may interact badly with the SASL requirement that if a new security layer is negotiated, that layer replaces the existing layer. I don't know if text on this issue is needed.
Ted Hardie Former IESG member
Yes
Yes
()
Unknown
Brian Carpenter Former IESG member
No Objection
No Objection
(2005-07-07)
Unknown
Non-blocking points from Gen-ART review by Scott Brim:
turnValue ::= SEQUENCE {
mutual BOOLEAN DEFAULT FALSE,
identifier LDAPString,
}
Is that last "," supposed to be there?
In Security Considerations ...
Consider an opening paragraph citing general references for LDAP
security as context.
- establish each other's identities through appropriate
authentication mechanism,
Are there default and/or recommended authentication mechanisms for
LDAP? Just what is considered "appropriate"? I suggest citations.
- establish an LDAP association between the initiating peer and the
responding peer.
Isn't that redundant? Isn't it impossible to issue a Turn without
having an LDAP association?
Margaret Cullen Former IESG member
No Objection
No Objection
()
Unknown