Lightweight Directory Access Protocol (LDAP) Turn Operation
RFC 4531

Note: This ballot was opened for revision 03 and is now closed.

(Ted Hardie) Yes

(Sam Hartman) (was Discuss) Yes

Comment (2005-07-04)
No email
send info
I'm concerned about implementation complexity as it relates to SASL
security layers.  I don't think most SASL implementations support the
idea of another SASL association being used in the middle of an
existing association, particularly when that association is in the
opposite direction.  So as a practical matter, implementations will
need to use two SASL contexts.  This may interact badly with the SASL
requirement that if a new security layer is negotiated, that layer
replaces the existing layer.  I don't know if text on this issue is

(Brian Carpenter) No Objection

Comment (2005-07-07 for -)
No email
send info
Non-blocking points from Gen-ART review by Scott Brim:

    turnValue ::= SEQUENCE {
          mutual         BOOLEAN DEFAULT FALSE,
          identifier     LDAPString,

Is that last "," supposed to be there?

In Security Considerations ...

Consider an opening paragraph citing general references for LDAP
security as context.

   - establish each other's identities through appropriate
     authentication mechanism,

Are there default and/or recommended authentication mechanisms for
LDAP?  Just what is considered "appropriate"?  I suggest citations.

   - establish an LDAP association between the initiating peer and the
     responding peer.

Isn't that redundant?  Isn't it impossible to issue a Turn without
having an LDAP association?

(Margaret Cullen) No Objection