Lightweight Directory Access Protocol (LDAP) "Who am I?" Operation
RFC 4532

[Note]: 'Proposed RFC Editor Note: RFC Editor note: In section 1, please replace:
OLD:
      Bind controls are not protected by the security layers
    established by the Bind operation which they are
    transferred as part of.
NEW:
    Bind controls are not protected by the security layers
    established by the Bind operation which includes them. In section 3, please add the following sentence to the last paragraph
(which ends with "a multi-stage Bind operation"):
NEW:
    Where a request is received in violation of this absolute
    prohibition, the server should respond with an operationsError
    result code' added by Amy Vezza

[Ballot comment]
Section 2.2: "u:kurt@OPENLDAP.ORG" is provided as an example. EXAMPLE.ORG
(or another example described in RFC 2606) should be used instead of
OPENLDAP.ORG.

Section 6:

s/This OID 1.3.6.1.4.1.4203.1.11.3 to identify/OID 1.3.6.1.4.1.4203.1.11.3
is used to identify/

[Note]: 'Proposed RFC Editor Note: RFC Editor note: In section 1, please replace:
OLD:
      Bind controls are not protected by the security layers
    established by the Bind operation which they are
    transferred as part of.
NEW:
    Bind controls are not protected by the security layers
    established by the Bind operation which includes them. In section 3, please add the following sentence to the last paragraph
(which ends with "a multi-stage Bind operation"):
NEW:
    Where a request is received in violation of this absolute
    prohibition, the server should respond with an operationsError
    result code' added by Harald Alvestrand

A number of editorial issues found by John Loughney, GEN-ART reviewer. I believe these do not warrant holding up approving the document, but they might be "nice to fix if document is revved for other reasons".

Serious, requires a re-write:
=============================
1) Section 3, 2nd sentence:

  ....  If the server is treating
  the client as an anonymous entity, the response field is present but
  empty.

-> Define what empty is, all zeros - or something else?

2) Section 5, security considerations:

  Identities associated with users may be sensitive information. 

-> I woulk imagine these authorized identities are sensitive information,
  so that the next sentence:

  ..... When
  so, security layers [RFC2829][RFC2830] should be established to
  protect this information.

-> The 'should' in the above sentence needs to be 'MUST.'

Editorial:
==========
1) Title: LDAP "Who am I?" Operation - want to expand LDAP.

2) Broilerplate, etc. needs updating (obviously!).

3) Abstract contains the exact same text as the 1st paragraph of section
  1.  Either re-write the abstract, or delete the repeated paragraph in
  section 1.

4) Abstract talks about 'the authorized identity' and this terms is used
  several times before it is defined in 4th paragraph of section 1.  An
  earlier defination (perhaps in the abstract) would be nice.

5) Section 3, paragrph 3:

  If the server is unwilling or unable to provide the authorization
  identity it associates with the client, the server SHALL return a
  whoami Response with an appropriate non-success resultCode ...

-> a reference to where these resultCodes are defined is needed.

6) Needs IPR text.

[Note]: 'Proposed RFC Editor Note: RFC Editor note: In section 1, please replace:
OLD:
      Bind controls are not protected by the security layers
    established by the Bind operation which they are
    transferred as part of.
NEW:
    Bind controls are not protected by the security layers
    established by the Bind operation which includes them. In section 3, please add the following sentence to the last paragraph
(which ends with "a multi-stage Bind operation"):
NEW:
    Where a request is received in violation of this absolute
    prohibition, the server should respond with an operationsError
    result code' added by Amy Vezza

[Note]: 'Proposed RFC Editor Note:

RFC Editor note:

In section 1, please replace:
OLD:
      Bind controls are not protected by the security layers
     established by the Bind operation which they are
     transferred as part of.
NEW:
     Bind controls are not protected by the security layers
     established by the Bind operation which includes them.

In section 3, please add the following sentence to the last paragraph
(which ends with "a multi-stage Bind operation"):
NEW:
     Where a request is received in violation of this absolute
     prohibition, the server should respond with an operationsError
     result code' added by Ted Hardie

The intent here is to put this on the same ballot as the auth response document and gauge whether the IESG believes an IESG note pointing to  the authzid mechanism is needed in the auth response document or if the status difference is enough.