[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Public Comment
Comment from: bruno.grossmann@pwgsc.gc.ca
Thanks for the reply below. However,
1) DSML v2 does not implement the LDAP bind operation. Either the
connectivity is not available and an errorResponse message is generated,
or it is available and the request is processed;
2) X.509 is only an ITU document specifying the format of certificates,
it does not specify any authentication mechanism. As far as using SOAP
or SAML, I would still argue that only allowing a different protocol to
perform authentication operations is not reasonable. The ISO
specifications were designed, so that no cross-talk should happen
between the protocols at the different layers. When you access a web
site encrypted via SSL, you are still required to provide a name and a
password to the HTTP server.
Furthermore, from an implementation point of view, how I am supposed to
implement all the already defined LDAP volatile operations (add, modify,
modifyDN, delete) in DSML when I do not have an authentication mechanism
which maps to the LDAP authentication (admin dn with password)?
On Fri, 2004-01-09 at 15:08, Michael.Mccormick@wellsfargo.com wrote:
This is quite surprising, if true. Since DSML is essentially an XML
abstraction of the LDAP protocol, how could OASIS have just omitted the bind
process?
Maybe they expect DSML implementations to rely on authentication at lower
stack layers (e.g., SSLv3) or be packaged inside authenticated SOAP
constructs using SAML or X.509.
-----Original Message-----
From: comment-form@oasis-open.org [mailto:comment-form@oasis-open.org]
Sent: Friday, January 09, 2004 1:55 PM
To: dsml-comment@lists.oasis-open.org
Subject: [dsml-comment] Public Comment
Comment from: bruno.grossmann@pwgsc.gc.ca
Hello,
I have been working on implementing a DSML to LDAP gateway to provide
additional services to our client departments. I have made good progress on
this project. I am now implementing the part which deals with authentication
but I just realized that DSML does not allow for simple authentication, and
that, as of now, there does not seem to be another authentication mechanism
available. I am totally baffled by this, as I do not believe volatile
directory operations can safely be performed with a simple out-of-band
authentication mechanism. I thus have two comments on this issue:
a) The fact, that simple authentication is not supported in DSML v2 should
be clearly stated in the specs document. The existing section on
authentication (1.1) should be much more explicit as to what type of
authentication is available. If some DSML-compliant products do indeed
support out-of-band authentication, the authentication mechanism should be
provided (either in the specs or in a companion document);
b) I would suggest the DSML TC reconsiders using a DSML authentication
mechanism. As you can probably tell from the above comment, I think it is
not safe to use an out-of-band mechanism. If plaintext passwords are
considered too risky, safer authentication algorithms should be considered -
but they should still be part of DSML, not outside of it.
Regards.
To unsubscribe from this list, send a post to
dsml-comment-unsubscribe@lists.oasis-open.org, or visit
http://www.oasis-open.org/mlmanage/.
--
Bruno Grossmann
SSD - Federated Directory Infrastructure Services
SGTI-GTIS
PWGSC-TPSGC
Place du Portage, Phase III - 2A1
11 rue Laurier, Hull, Québec, Canada (K1A 0S5)
Télephone: 819-956-1224 Télecopieur: 819-956-6476
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]