idnits 2.17.1 

draft-weltman-ldapv3-proxy-09.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** Looks like you're using RFC 2026 boilerplate.  This must be updated to
     follow RFC 3978/3979, as updated by RFC 4748.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  ** The document seems to lack a 1id_guidelines paragraph about
     Internet-Drafts being working documents -- however, there's a paragraph
     with a matching beginning. Boilerplate error?

  ** The document seems to lack a 1id_guidelines paragraph about 6 months
     document validity -- however, there's a paragraph with a matching
     beginning. Boilerplate error?


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The document seems to lack an IANA Considerations section.  (See Section
     2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
     when there are no actions for IANA.)

  ** The abstract seems to contain references ([AUTH]), which it shouldn't. 
     Please replace those with straight textual mentions of the documents in
     question.

  ** The document seems to lack a both a reference to RFC 2119 and the
     recommended RFC 2119 boilerplate, even if it appears to use RFC 2119
     keywords. 

     RFC 2119 keyword, line 70: '... The criticality MUST be included and ...'
     RFC 2119 keyword, line 80: '...uest is denied, the server MUST return...'
     RFC 2119 keyword, line 90: '...ooting, a server MAY include informati...'
     RFC 2119 keyword, line 124: '... honored. "Anonymous" users SHOULD NOT...'


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == Line 49 has weird spacing: '...ocument  are...'

  == Line 139 has weird spacing: '...for the  purpo...'

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (December 2001) is 8167 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  -- Missing reference section? 'AUTH' on line 165 looks like a reference

  -- Missing reference section? 'LDAPV3' on line 158 looks like a reference

  -- Missing reference section? 'KEYWORDS' on line 161 looks like a reference

  -- Missing reference section? 'LDAPv3' on line 72 looks like a reference


     Summary: 6 errors (**), 0 flaws (~~), 2 warnings (==), 6 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	INTERNET-DRAFT                                               Rob Weltman
3	Intended Category: Standards Track         Netscape Communications Corp.
4	                                                           December 2001

6	                   LDAP Proxied Authorization Control
7	                   draft-weltman-ldapv3-proxy-09.txt

9	Status of this Memo

11	   This document is an Internet-Draft and is in full conformance with
12	   all provisions of Section 10 of RFC2026.

14	   Internet-Drafts are working documents of the Internet Task Force
15	   (IETF), its areas, and its working groups.  Note that other groups
16	   may also distribute working documents as Internet-Drafts.

18	   Internet-Drafts are draft documents valid for a maximum of six months
19	   and may be updated, replaced, or obsoleted by other documents at any
20	   time.  It is inappropriate to use Internet Drafts as reference
21	   material or to cite them other than as "work in progress."

23	   The list of current Internet-Drafts can be accessed at
24	   http://www.ietf.org/ietf/1id-abstracts.txt

26	   The list of Internet-Draft Shadow Directories can be accessed at
27	   http://www.ietf.org/shadow.html.

29	Abstract

31	   This document defines support for the Proxied Authorization Control.
32	   Controls are an LDAP protocol version 3 extension, to allow passing
33	   arbitrary control information along with a standard request to a
34	   server, and to receive arbitrary information back with a standard
35	   result. The Proxied Authorization Control allows a client to request
36	   that an operation be processed under a provided authorization
37	   identity [AUTH] instead of as the current authorization identity
38	   associated with the connection.

40	1. Introduction

42	   Version 3 of the LDAP protocol provides a means of supplying
43	   arbitrary additional information along with a request to an LDAP
44	   server, and receiving arbitrary additional response information. The
45	   Control protocol extension is described in [LDAPV3], section 4.1.12.
46	   This document defines support for proxied authorization using the
47	   Control mechanism.

49	   The key words "MUST", "SHOULD", and "MAY" used in this document  are
50	   to be interpreted as described in [KEYWORDS].

52	PROXIED AUTHORIZATION CONTROL                            December 2001

54	2. Publishing support for the Proxied Authorization Control

56	   Support for the Proxied Authorization Control is indicated by the
57	   presence of the OID "2.16.840.1.113730.3.4.18" in the
58	   supportedControl attribute of a server's root DSE.

60	3. Proxied Authorization Control

62	   A single Proxied Authorization Control may be included in any search,
63	   compare, modify, add, delete, modDN or extended operation (except for
64	   startTLS) request message as part of the controls field of the
65	   LDAPMessage, as defined in [LDAPV3].

67	   The controlType of the proxied authorization control is
68	   "2.16.840.1.113730.3.4.18".

70	   The criticality MUST be included and MUST be TRUE.

72	   The control value is an LDAPString [LDAPv3] containing an authzId as
73	   defined in section 9 of [AUTH]. This is the authorization identity to
74	   use for the request. An empty authzId implies the anonymous identity.

76	4. Permission to execute as proxy

78	   An LDAP server supporting the Proxied Authorization Control may
79	   choose to honor or not honor a particular request. If the control is
80	   supported but a particular request is denied, the server MUST return
81	   the error code insufficientAccessRights.

83	   A typical implementation will evaluate if the requester has proxy
84	   access rights at the base DN of the request. If the requester has
85	   proxy access rights, and if the authorization identity is recognized
86	   by the server, the request will be honored. If the request is
87	   honored, it will be executed as if submitted by the proxied
88	   authorization identity.

90	   To aid in troubleshooting, a server MAY include information in the
91	   errorMessage field of the LDAPResult to help a human distinguish
92	   between the case where insufficientAccessRights is returned because
93	   the client is not authorized to adopt the requested authorization
94	   identity and the case where the requested authorization identity was
95	   adopted but the authorization identity did not permit execution of
96	   the operation.

98	   During evaluation of a search request, an entry which would have been
99	   returned for the search if submitted by the proxied authorization
100	   identity directly may not be returned if the server finds that the
101	   requester does not have proxy rights to the entry, even if the entry
102	   is within the scope of a search request under a base DN which does
103	   imply such rights. This means that fewer results, or no results, may

105	PROXIED AUTHORIZATION CONTROL                            December 2001

107	   be returned compared to the case where the proxied authorization
108	   identity issued the request directly. An example of such a case may
109	   be a system with fine-grained access control, where the proxy right
110	   requester has proxy rights at the top of a search tree, but not at or
111	   below a point or points within the tree.

113	5. Security Considerations

115	   The Proxied Authorization Control method is subject to standard LDAP
116	   security considerations. The control may be passed over a secure as
117	   well as over an insecure channel.

119	   The control allows for an additional authorization identity to be
120	   passed. In some deployments, these identities may contain
121	   confidential information which require privacy protection.

123	   Note that the server is responsible for determining if a proxied
124	   authorization request is to be honored. "Anonymous" users SHOULD NOT
125	   be allowed to assume the identity of others.

127	6. Copyright

129	   Copyright (C) The Internet Society (date). All Rights Reserved.

131	   This document and translations of it may be copied and furnished to
132	   others, and derivative works that comment on or otherwise explain it
133	   or assist in its implementation may be prepared, copied, published
134	   and distributed, in whole or in part, without restriction of any
135	   kind, provided that the above copyright notice and this paragraph are
136	   included on all such copies and derivative works.  However, this
137	   document itself may not be modified in any way, such as by removing
138	   the copyright notice or references to the Internet Society or other
139	   Internet organizations, except as needed for the  purpose of
140	   developing Internet standards in which case the procedures for
141	   copyrights defined in the Internet Standards process must be
142	   followed, or as required to translate it into languages other than
143	   English.

145	   The limited permissions granted above are perpetual and will not be
146	   revoked by the Internet Society or its successors or assigns.

148	   This document and the information contained herein is provided on an
149	   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
150	   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
151	   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
152	   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
153	   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

155	7. Bibliography
156	PROXIED AUTHORIZATION CONTROL                            December 2001

158	   [LDAPV3] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access
159	        Protocol (v3)", RFC 2251, December 1997.

161	   [KEYWORDS] Bradner, Scott, "Key Words for use in RFCs to Indicate
162	        Requirement Levels", draft-bradner-key-words-03.txt, January,
163	        1997.

165	   [AUTH] M. Wahl, H. Alvestrand, J. Hodges, R. Morgan, "Authentication
166	        Methods for LDAP", RFC 2829, May 2000

168	8. Author's Address

170	   Rob Weltman
171	   Netscape Communications Corp.
172	   466 Ellis Street
173	   Mountain View, CA 94043
174	   USA
175	   +1 650 937-3194
176	   rweltman@netscape.com

178	9. Acknowledgements

180	   Mark Smith of Netscape Communications Corp., Mark Wahl of Sun
181	   Microsystems, Inc, and Kurt Zeilenga of OpenLDAP Foundation have
182	   contributed with reviews of this draft.

184	10. Changes from draft-weltman-ldapv3-proxy-08.txt

186	   Proxied Authorization Control

188	   Clarifications:  the control may not be submitted with a startTLS
189	   request; an empty controlValue implies the anonymous identity; only
190	   one control may be included with a request.

192	   Permission to execute as proxy

194	   Replaced "proxy identity" with "proxied authorization identity".

196	   Security Considerations

198	   Added statement that anonymous users should not be allowed to assume
199	   the identity of others.

201	11. Changes from draft-weltman-ldapv3-proxy-07.txt

203	   Proxied Authorization Control

205	   Clarification:  the content of the control is an LDAPString.

207	PROXIED AUTHORIZATION CONTROL                            December 2001

209	12. Changes from draft-weltman-ldapv3-proxy-06.txt

211	   None

213	13. Changes from draft-weltman-ldapv3-proxy-05.txt

215	   The control also applies to add and extended operations.

217	   The control value is an authorization ID, not necessarily a DN.

219	   Confidentiality concerns are mentioned.

221	14. Changes from draft-weltman-ldapv3-proxy-04.txt

223	   The control does not apply to bind, unbind, or abandon operations.

225	   The proxy DN is represented as a string in the control, rather than
226	   embedded in a sequence.

228	   Support for the control is published in the supportedControl
229	   attribute of the root DSE, not in supportedExtensions.

231	   The security section mentions confidentiality issues with exposing an
232	   additional identity.

234	15. Changes from draft-weltman-ldapv3-proxy-03.txt

236	   None

238	16. Changes from draft-weltman-ldapv3-proxy-02.txt

240	16.1 Renamed Control

242	   The Control is now called Proxied Authorization Control, rather than
243	   Proxied Authentication Control, to reflect that no authentication
244	   occurs as a consequence of processing the Control.

246	16.2 Control envelope

248	   Rather than containing an LDAPDN as the Control value, the Control
249	   contains a Sequence (which contains an LDAPDN). This is to provide
250	   for future extensions.