idnits 2.17.1 

draft-weltman-ldapv3-proxy-03.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** Looks like you're using RFC 2026 boilerplate.  This must be updated to
     follow RFC 3978/3979, as updated by RFC 4748.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  ** Missing expiration date.  The document expiration date should appear on
     the first and last page.

  ** The document seems to lack a 1id_guidelines paragraph about
     Internet-Drafts being working documents -- however, there's a paragraph
     with a matching beginning. Boilerplate error?

  ** The document seems to lack a 1id_guidelines paragraph about 6 months
     document validity -- however, there's a paragraph with a matching
     beginning. Boilerplate error?

  == No 'Intended status' indicated for this document; assuming Proposed
     Standard

  == The page length should not exceed 58 lines per page, but there was 1
     longer page, the longest (page 4) being 60 lines


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The document seems to lack an IANA Considerations section.  (See Section
     2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
     when there are no actions for IANA.)

  ** The document seems to lack a both a reference to RFC 2119 and the
     recommended RFC 2119 boilerplate, even if it appears to use RFC 2119
     keywords. 

     RFC 2119 keyword, line 72: '... The criticality MUST be included and ...'
     RFC 2119 keyword, line 82: '... Implementations MUST return the error...'
     RFC 2119 keyword, line 90: '...uest is denied, the server MUST return...'


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == Line 49 has weird spacing: '...ocument  are...'

  == Line 69 has weird spacing: '...olValue    pro...'

  == Line 135 has weird spacing: '...for the  purpo...'

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (April 22, 1999) is 9128 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  -- Missing reference section? '1' on line 154 looks like a reference

  -- Missing reference section? '2' on line 158 looks like a reference


     Summary: 6 errors (**), 0 flaws (~~), 5 warnings (==), 4 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------

1	Network Working Group                                        Rob Weltman
2	INTERNET-DRAFT                             Netscape Communications Corp.
3	                                                               Tim Howes
4	                                           Netscape Communications Corp.
5	                                                          April 22, 1999

7	                   LDAP Proxied Authorization Control
8	                   draft-weltman-ldapv3-proxy-03.txt

10	Status of this Memo

12	   This document is an Internet-Draft and is in full conformance with
13	   all provisions of Section 10 of RFC2026.

15	   Internet-Drafts are working documents of the Internet Task Force
16	   (IETF), its areas, and its working groups.  Note that other groups
17	   may also distribute working documents as Internet-Drafts.

19	   Internet-Drafts are draft documents valid for a maximum of six months
20	   and may be updated, replaced, or obsoleted by other documents at any
21	   time.  It is inappropriate to use Internet Drafts as reference
22	   material or to cite them other than as "work in progress."

24	   The list of current Internet-Drafts can be accessed at
25	   http://www.ietf.org/ietf/1id-abstracts.txt

27	   The list of Internet-Draft Shadow Directories can be accessed at
28	   http://www.ietf.org/shadow.html.

30	Abstract

32	   This document defines support for the Proxied Authorization Control.
33	   Controls are an LDAP protocol version 3 extension, to allow passing
34	   arbitrary control information along with a standard request to a
35	   server, and to receive arbitrary information back with a standard
36	   result. The Proxied Authorization Control allows a connection with
37	   sufficient privileges to assume the identity of another entry for the
38	   duration of an LDAP request.

40	1. Introduction

42	   Version 3 of the LDAP protocol provides a means of supplying
43	   arbitrary additional information along with a request to an LDAP
44	   server, and receiving arbitrary additional response information. The
45	   Control protocol extension is described in [1], section 4.1.12. This
46	   document defines support for proxied authorization using the Control
47	   mechanism.

49	   The key words "MUST", "SHOULD", and "MAY" used in this document  are
50	   to be interpreted as described in [2].

52	PROXIED AUTHORIZATION CONTROL                              April, 1999

54	2. Publishing support for the Proxied Authorization Control

56	   Support for the Proxied Authorization Control is indicated by the
57	   presence of the OID "2.16.840.1.113730.3.4.12" in the
58	   supportedExtensions attribute of a server's root DSE.

60	3. Proxied Authorization Control

62	   This control may be included in any bind, unbind, search, compare,
63	   abandon, modify, delete, or modrdn request message as part of the
64	   controls field of the LDAPMessage, as defined in [1].

66	   proxyAuthControl ::= SEQUENCE {
67	           controlType     2.16.840.1.113730.3.4.12,
68	           criticality     BOOLEAN DEFAULT FALSE,
69	           controlValue    proxyAuthValue
70	   }

72	   The criticality MUST be included and MUST be TRUE.

74	   The controlValue contains the BER encoding of a DN used for
75	   evaluating the requested rights:

77	   proxyAuthValue::= SEQUENCE {
78	           proxyDN LDAPDN
79	   }

81	   It is represented as a Sequence in order to allow future extensions.
82	   Implementations MUST return the error code
83	   unsupportedCriticalExtension in the event of unrecognized additional
84	   elements in the sequence

86	4. Permission to execute as proxy

88	   An LDAP server supporting the Proxied Authorization Control may
89	   choose to honor or not honor a particular request. If the control is
90	   supported but a particular request is denied, the server MUST return
91	   the error code insufficientAccessRights. A typical implementation
92	   will evaluate if the requester has proxy access rights at the base DN
93	   of the request. If the requester has proxy access rights, and if the
94	   proxy DN corresponds to a valid entry in the directory managed by the
95	   server, the request will be honored. If the request is honored, it
96	   will be executed as if submitted by the proxy identity.

98	   During evaluation of a search request, an entry which would have been
99	   returned for the search if submitted by the proxy identity directly
100	   may not be returned if the server finds that the requester does not
101	   have proxy rights to the entry, even if the entry is within the scope

103	PROXIED AUTHORIZATION CONTROL                              April, 1999

105	   of a search request under a base DN which does imply such rights.
106	   This means that fewer results, or no results, may be returned
107	   compared to the case where the proxy identity issued the request
108	   directly. An example of such a case may be a system with fine-grained
109	   access control, where the proxy right requester has proxy rights at
110	   the top of a search tree, but not at or below a point or points
111	   within the tree.

113	5. Security Considerations

115	   The Proxied Authorization Control method is subject to standard LDAP
116	   security considerations. The control may be passed over a secure as
117	   well as over an insecure channel. No additional confidential
118	   information is passed in the control.

120	   Note that the server is responsible for determining if a proxied
121	   authorization request is to be honored.

123	6. Copyright

125	   Copyright (C) The Internet Society (date). All Rights Reserved.

127	   This document and translations of it may be copied and furnished to
128	   others, and derivative works that comment on or otherwise explain it
129	   or assist in its implementation may be prepared, copied, published
130	   and distributed, in whole or in part, without restriction of any
131	   kind, provided that the above copyright notice and this paragraph are
132	   included on all such copies and derivative works.  However, this
133	   document itself may not be modified in any way, such as by removing
134	   the copyright notice or references to the Internet Society or other
135	   Internet organizations, except as needed for the  purpose of
136	   developing Internet standards in which case the procedures for
137	   copyrights defined in the Internet Standards process must be
138	   followed, or as required to translate it into languages other than
139	   English.

141	   The limited permissions granted above are perpetual and will not be
142	   revoked by the Internet Society or its successors or assigns.

144	   This document and the information contained herein is provided on an
145	   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
146	   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
147	   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
148	   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
149	   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

151	7. Bibliography
152	PROXIED AUTHORIZATION CONTROL                              April, 1999

154	   [1]  M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access
155	        Protocol (v3)", Internet Draft draft-ietf-asid-ldapv3-protocol-
156	        06.txt, July 1997.

158	   [2]  Bradner, Scott, "Key Words for use in RFCs to Indicate
159	        Requirement Levels", draft-bradner-key-words-03.txt, January,
160	        1997.

162	8. Author's Addresses

164	   Rob Weltman
165	   Netscape Communications Corp.
166	   MV-068
167	   501 E. Middlefield Rd.
168	   Mountain View, CA 94043
169	   USA
170	   +1 650 937-3301
171	   rweltman@netscape.com

173	   Tim Howes
174	   Netscape Communications Corp.
175	   MV-068
176	   501 E. Middlefield Rd.
177	   Mountain View, CA 94043
178	   USA
179	   +1 650 937-3419
180	   howes@netscape.com

182	9. Changes from draft-weltman-ldapv3-proxy-02.txt

184	9.1 Renamed Control

186	   The Control is now called Proxied Authorization Control, rather than
187	   Proxied Authentication Control, to reflect that no authentication
188	   occurs as a consequence of processing the Control.

190	9.2 Control envelope

192	   Rather than containing an LDAPDN as the Control value, the Control
193	   contains a Sequence (which contains an LDAPDN). This is to provide
194	   for future extensions.