[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Public Comment
Comment from: bruno.grossmann@pwgsc.gc.ca Thanks for the reply below. However, 1) DSML v2 does not implement the LDAP bind operation. Either the connectivity is not available and an errorResponse message is generated, or it is available and the request is processed; 2) X.509 is only an ITU document specifying the format of certificates, it does not specify any authentication mechanism. As far as using SOAP or SAML, I would still argue that only allowing a different protocol to perform authentication operations is not reasonable. The ISO specifications were designed, so that no cross-talk should happen between the protocols at the different layers. When you access a web site encrypted via SSL, you are still required to provide a name and a password to the HTTP server. Furthermore, from an implementation point of view, how I am supposed to implement all the already defined LDAP volatile operations (add, modify, modifyDN, delete) in DSML when I do not have an authentication mechanism which maps to the LDAP authentication (admin dn with password)? On Fri, 2004-01-09 at 15:08, Michael.Mccormick@wellsfargo.com wrote: This is quite surprising, if true. Since DSML is essentially an XML abstraction of the LDAP protocol, how could OASIS have just omitted the bind process? Maybe they expect DSML implementations to rely on authentication at lower stack layers (e.g., SSLv3) or be packaged inside authenticated SOAP constructs using SAML or X.509. -----Original Message----- From: comment-form@oasis-open.org [mailto:comment-form@oasis-open.org] Sent: Friday, January 09, 2004 1:55 PM To: dsml-comment@lists.oasis-open.org Subject: [dsml-comment] Public Comment Comment from: bruno.grossmann@pwgsc.gc.ca Hello, I have been working on implementing a DSML to LDAP gateway to provide additional services to our client departments. I have made good progress on this project. I am now implementing the part which deals with authentication but I just realized that DSML does not allow for simple authentication, and that, as of now, there does not seem to be another authentication mechanism available. I am totally baffled by this, as I do not believe volatile directory operations can safely be performed with a simple out-of-band authentication mechanism. I thus have two comments on this issue: a) The fact, that simple authentication is not supported in DSML v2 should be clearly stated in the specs document. The existing section on authentication (1.1) should be much more explicit as to what type of authentication is available. If some DSML-compliant products do indeed support out-of-band authentication, the authentication mechanism should be provided (either in the specs or in a companion document); b) I would suggest the DSML TC reconsiders using a DSML authentication mechanism. As you can probably tell from the above comment, I think it is not safe to use an out-of-band mechanism. If plaintext passwords are considered too risky, safer authentication algorithms should be considered - but they should still be part of DSML, not outside of it. Regards. To unsubscribe from this list, send a post to dsml-comment-unsubscribe@lists.oasis-open.org, or visit http://www.oasis-open.org/mlmanage/. -- Bruno Grossmann SSD - Federated Directory Infrastructure Services SGTI-GTIS PWGSC-TPSGC Place du Portage, Phase III - 2A1 11 rue Laurier, Hull, Québec, Canada (K1A 0S5) Télephone: 819-956-1224 Télecopieur: 819-956-6476
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]