idnits 2.17.1 

draft-weltman-ldapv3-proxy-06.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** Looks like you're using RFC 2026 boilerplate.  This must be updated to
     follow RFC 3978/3979, as updated by RFC 4748.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  ** The document seems to lack a 1id_guidelines paragraph about
     Internet-Drafts being working documents -- however, there's a paragraph
     with a matching beginning. Boilerplate error?

  ** The document seems to lack a 1id_guidelines paragraph about 6 months
     document validity -- however, there's a paragraph with a matching
     beginning. Boilerplate error?

  == No 'Intended status' indicated for this document; assuming Proposed
     Standard


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The document seems to lack an IANA Considerations section.  (See Section
     2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
     when there are no actions for IANA.)

  ** The abstract seems to contain references ([AUTH]), which it shouldn't. 
     Please replace those with straight textual mentions of the documents in
     question.

  ** The document seems to lack a both a reference to RFC 2119 and the
     recommended RFC 2119 boilerplate, even if it appears to use RFC 2119
     keywords. 

     RFC 2119 keyword, line 68: '... The criticality MUST be included and ...'
     RFC 2119 keyword, line 77: '...uest is denied, the server MUST return...'


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == Line 48 has weird spacing: '...ocument  are...'

  == Line 124 has weird spacing: '...for the  purpo...'

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- Couldn't find a document date in the document -- date freshness check
     skipped.


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  -- Missing reference section? 'AUTH' on line 149 looks like a reference

  -- Missing reference section? 'LDAPV3' on line 142 looks like a reference

  -- Missing reference section? 'KEYWORDS' on line 145 looks like a reference


     Summary: 6 errors (**), 0 flaws (~~), 3 warnings (==), 5 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	Network Working Group                                        Rob Weltman
3	INTERNET-DRAFT                                            November, 2000

5	                   LDAP Proxied Authorization Control
6	                   draft-weltman-ldapv3-proxy-06.txt

8	Status of this Memo

10	   This document is an Internet-Draft and is in full conformance with
11	   all provisions of Section 10 of RFC2026.

13	   Internet-Drafts are working documents of the Internet Task Force
14	   (IETF), its areas, and its working groups.  Note that other groups
15	   may also distribute working documents as Internet-Drafts.

17	   Internet-Drafts are draft documents valid for a maximum of six months
18	   and may be updated, replaced, or obsoleted by other documents at any
19	   time.  It is inappropriate to use Internet Drafts as reference
20	   material or to cite them other than as "work in progress."

22	   The list of current Internet-Drafts can be accessed at
23	   http://www.ietf.org/ietf/1id-abstracts.txt

25	   The list of Internet-Draft Shadow Directories can be accessed at
26	   http://www.ietf.org/shadow.html.

28	Abstract

30	   This document defines support for the Proxied Authorization Control.
31	   Controls are an LDAP protocol version 3 extension, to allow passing
32	   arbitrary control information along with a standard request to a
33	   server, and to receive arbitrary information back with a standard
34	   result. The Proxied Authorization Control allows a client to request
35	   that an operation be processed under a provided authorization
36	   identity [AUTH] instead of as the current authorization identity
37	   associated with the connection.

39	1. Introduction

41	   Version 3 of the LDAP protocol provides a means of supplying
42	   arbitrary additional information along with a request to an LDAP
43	   server, and receiving arbitrary additional response information. The
44	   Control protocol extension is described in [LDAPV3], section 4.1.12.
45	   This document defines support for proxied authorization using the
46	   Control mechanism.

48	   The key words "MUST", "SHOULD", and "MAY" used in this document  are
49	   to be interpreted as described in [KEYWORDS].

51	PROXIED AUTHORIZATION CONTROL                            November 2000

53	2. Publishing support for the Proxied Authorization Control

55	   Support for the Proxied Authorization Control is indicated by the
56	   presence of the OID "2.16.840.1.113730.3.4.18" in the
57	   supportedControl attribute of a server's root DSE.

59	3. Proxied Authorization Control

61	   This control may be included in any search, compare, modify, add,
62	   delete, modDN or extended operation request message as part of the
63	   controls field of the LDAPMessage, as defined in [LDAPV3].

65	   The controlType of the proxied authorization control is
66	   "2.16.840.1.113730.3.4.18".

68	   The criticality MUST be included and MUST be TRUE.

70	   The control value is the BER encoded authorization identity to use
71	   for the request.

73	4. Permission to execute as proxy

75	   An LDAP server supporting the Proxied Authorization Control may
76	   choose to honor or not honor a particular request. If the control is
77	   supported but a particular request is denied, the server MUST return
78	   the error code insufficientAccessRights.

80	   A typical implementation will evaluate if the requester has proxy
81	   access rights at the base DN of the request. If the requester has
82	   proxy access rights, and if the authorization identity is recognized
83	   by the server, the request will be honored. If the request is
84	   honored, it will be executed as if submitted by the proxy identity.

86	   During evaluation of a search request, an entry which would have been
87	   returned for the search if submitted by the proxy identity directly
88	   may not be returned if the server finds that the requester does not
89	   have proxy rights to the entry, even if the entry is within the scope
90	   of a search request under a base DN which does imply such rights.
91	   This means that fewer results, or no results, may be returned
92	   compared to the case where the proxy identity issued the request
93	   directly. An example of such a case may be a system with fine-grained
94	   access control, where the proxy right requester has proxy rights at
95	   the top of a search tree, but not at or below a point or points
96	   within the tree.

98	5. Security Considerations
99	PROXIED AUTHORIZATION CONTROL                            November 2000

101	   The Proxied Authorization Control method is subject to standard LDAP
102	   security considerations. The control may be passed over a secure as
103	   well as over an insecure channel.

105	   The control allows for an additional authorization identity to be
106	   passed. In some deployments, these identities may contain
107	   confidential information which require privacy protection.

109	   Note that the server is responsible for determining if a proxied
110	   authorization request is to be honored.

112	6. Copyright

114	   Copyright (C) The Internet Society (date). All Rights Reserved.

116	   This document and translations of it may be copied and furnished to
117	   others, and derivative works that comment on or otherwise explain it
118	   or assist in its implementation may be prepared, copied, published
119	   and distributed, in whole or in part, without restriction of any
120	   kind, provided that the above copyright notice and this paragraph are
121	   included on all such copies and derivative works.  However, this
122	   document itself may not be modified in any way, such as by removing
123	   the copyright notice or references to the Internet Society or other
124	   Internet organizations, except as needed for the  purpose of
125	   developing Internet standards in which case the procedures for
126	   copyrights defined in the Internet Standards process must be
127	   followed, or as required to translate it into languages other than
128	   English.

130	   The limited permissions granted above are perpetual and will not be
131	   revoked by the Internet Society or its successors or assigns.

133	   This document and the information contained herein is provided on an
134	   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
135	   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
136	   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
137	   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
138	   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

140	7. Bibliography

142	   [LDAPV3] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access
143	        Protocol (v3)", RFC 2251, December 1997.

145	   [KEYWORDS] Bradner, Scott, "Key Words for use in RFCs to Indicate
146	        Requirement Levels", draft-bradner-key-words-03.txt, January,
147	        1997.

149	   [AUTH] M. Wahl, H. Alvestrand, J. Hodges, R. Morgan, "Authentication
150	        Methods for LDAP", RFC 2829, May 2000

152	PROXIED AUTHORIZATION CONTROL                            November 2000

154	8. Author's Address

156	   Rob Weltman
157	   +1 650 461 1708
158	   robw@worldspot.com

160	9. Acknowledgements

162	   Mark Smith of Netscape Communications Corp., Mark Wahl of Sun
163	   Microsystems, Inc, and Kurt Zeilenga of OpenLDAP Foundation have
164	   contributed with reviews of this draft.

166	10. Changes from draft-weltman-ldapv3-proxy-05.txt

168	   The control also applies to add and extended operations.

170	   The control value is an authorization ID, not necessarily a DN.

172	   Confidentiality concerns are mentioned.

174	11. Changes from draft-weltman-ldapv3-proxy-04.txt

176	   The control does not apply to bind, unbind, or abandon operations.

178	   The proxy DN is represented as a string in the control, rather than
179	   embedded in a sequence.

181	   Support for the control is published in the supportedControl
182	   attribute of the root DSE, not in supportedExtensions.

184	   The security section mentions confidentiality issues with exposing an
185	   additional identity.

187	12. Changes from draft-weltman-ldapv3-proxy-03.txt

189	   None

191	13. Changes from draft-weltman-ldapv3-proxy-02.txt

193	13.1 Renamed Control

195	   The Control is now called Proxied Authorization Control, rather than
196	   Proxied Authentication Control, to reflect that no authentication
197	   occurs as a consequence of processing the Control.

199	PROXIED AUTHORIZATION CONTROL                            November 2000

201	13.2 Control envelope

203	   Rather than containing an LDAPDN as the Control value, the Control
204	   contains a Sequence (which contains an LDAPDN). This is to provide
205	   for future extensions.