idnits 2.17.1 

draft-weltman-ldapv3-proxy-11.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** Looks like you're using RFC 2026 boilerplate.  This must be updated to
     follow RFC 3978/3979, as updated by RFC 4748.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  ** The document seems to lack a 1id_guidelines paragraph about
     Internet-Drafts being working documents -- however, there's a paragraph
     with a matching beginning. Boilerplate error?

  ** The document seems to lack a 1id_guidelines paragraph about 6 months
     document validity -- however, there's a paragraph with a matching
     beginning. Boilerplate error?


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The document seems to lack an IANA Considerations section.  (See Section
     2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
     when there are no actions for IANA.)

  ** The document seems to lack separate sections for Informative/Normative
     References.  All references will be assumed normative when checking for
     downward references.

  ** The abstract seems to contain references ([AUTH]), which it shouldn't. 
     Please replace those with straight textual mentions of the documents in
     question.

  ** The document seems to lack a both a reference to RFC 2119 and the
     recommended RFC 2119 boilerplate, even if it appears to use RFC 2119
     keywords -- however, there's a paragraph with a matching beginning.
     Boilerplate error?

     RFC 2119 keyword, line 70: '... The criticality MUST be present and M...'
     RFC 2119 keyword, line 118: '... honored. "Anonymous" users SHOULD NOT...'


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == Line 49 has weird spacing: '...ocument  are  ...'

  == Line 133 has weird spacing: '...for the  purpo...'

  == The expression 'MAY NOT', while looking like RFC 2119 requirements text,
     is not defined in RFC 2119, and should not be used.  Consider using 'MUST
     NOT' instead (if that is what you mean).
     
     Found 'MAY NOT' in this paragraph:
     
    The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", "MAY", and
     "MAY NOT" used in this document  are  to be interpreted as described in
     [KEYWORDS].

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (May 2002) is 8014 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  == Missing Reference: 'LDAPv3' is mentioned on line 74, but not defined

  ** Obsolete normative reference: RFC 2251 (ref. 'LDAPV3') (Obsoleted by RFC
     4510, RFC 4511, RFC 4512, RFC 4513)

  -- Unexpected draft version: The latest known version of 
     draft-bradner-key-words is -02, but you're referring to -03.

  ** Obsolete normative reference: RFC 2222 (ref. 'SASL') (Obsoleted by RFC
     4422, RFC 4752)

  ** Obsolete normative reference: RFC 2829 (ref. 'AUTH') (Obsoleted by RFC
     4510, RFC 4513)

  ** Obsolete normative reference: RFC 2830 (ref. 'LDAPTLS') (Obsoleted by
     RFC 4510, RFC 4511, RFC 4513)

  ** Obsolete normative reference: RFC 2828 (Obsoleted by RFC 4949)


     Summary: 12 errors (**), 0 flaws (~~), 4 warnings (==), 3 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	INTERNET-DRAFT                                               Rob Weltman
3	Intended Category: Standards Track         Netscape Communications Corp.
4	                                                              May 2002

6	                   LDAP Proxied Authorization Control
7	                   draft-weltman-ldapv3-proxy-11.txt

9	Status of this Memo

11	   This document is an Internet-Draft and is in full conformance with
12	   all provisions of Section 10 of RFC2026.

14	   Internet-Drafts are working documents of the Internet Task Force
15	   (IETF), its areas, and its working groups.  Note that other groups
16	   may also distribute working documents as Internet-Drafts.

18	   Internet-Drafts are draft documents valid for a maximum of six months
19	   and may be updated, replaced, or obsoleted by other documents at any
20	   time.  It is inappropriate to use Internet Drafts as reference
21	   material or to cite them other than as "work in progress."

23	   The list of current Internet-Drafts can be accessed at
24	   http://www.ietf.org/ietf/1id-abstracts.txt

26	   The list of Internet-Draft Shadow Directories can be accessed at
27	   http://www.ietf.org/shadow.html.

29	Abstract

31	   This document defines the Lightweight Directory Access Protocol
32	   (LDAP) Proxied Authorization Control. The Proxied Authorization
33	   Control allows a client to request that an operation be processed
34	   under a provided authorization identity [AUTH] instead of as the
35	   current authorization identity associated with the connection.

37	1. Introduction

39	   This document defines support for proxied authorization using the
40	   Control mechanism. LDAP [LDAPV3] supports the use of SASL [SASL] for
41	   authentication and for supplying an authorization identity distinct
42	   from the authentication identity, where the authorization identity
43	   applies to the whole LDAP session. The proposed Proxied Authorization
44	   Control provides a mechanism for specifying an authorization identity
45	   on a per operation basis, benefiting clients that need to efficiently
46	   perform operations on behalf of multiple users.

48	   The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", "MAY", and
49	   "MAY NOT" used in this document  are  to be interpreted as described
50	   in [KEYWORDS].

52	2. Publishing support for the Proxied Authorization Control

54	   Support for the Proxied Authorization Control is indicated by the
55	   presence of the OID "2.16.840.1.113730.3.4.18" in the
56	   supportedControl attribute of a server's root DSE.

58	3. Proxied Authorization Control

60	   A single Proxied Authorization Control may be included in any search,
61	   compare, modify, add, delete, modDN or extended operation request
62	   message (with the exception of any extension that causes a change in
63	   authentication, authorization, or data confidentiality [RFC 2828],
64	   such as startTLS) as part of the controls field of the LDAPMessage,
65	   as defined in [LDAPV3].

67	   The controlType of the proxied authorization control is
68	   "2.16.840.1.113730.3.4.18".

70	   The criticality MUST be present and MUST be TRUE. This requirement
71	   protects clients from submitting a request that is executed with an
72	   unintended authorization identity.

74	   The controlValue is either an LDAPString [LDAPv3] containing an
75	   authzId as defined in section 9 of [AUTH] to use as the authorization
76	   identity for the request, or an empty value if the anonymous identity
77	   is to be used.

79	   The mechanism for determining proxy access rights is specific to the
80	   server's access control policy.

82	   If the requested authorization identity is recognized by the server,
83	   and the client is authorized to adopt the requested authorization
84	   identity, the request will be executed as if submitted by the proxied
85	   authorization identity, otherwise the result code TBD is returned.
86	   [Note to the IESG/IANA/RFC Editor: the value TBD is to be replaced
87	   with an IANA assigned LDAP Result Code (see draft-ietf-ldapbis-iana-
88	   xx.txt, Section 3.5)]

90	4. Implementation Considerations

92	   The interaction of proxied authorization access control and normal
93	   access control is illustrated here for the case of search requests.
94	   During evaluation of a search request, an entry which would have been
95	   returned for the search if submitted by the proxied authorization
96	   identity directly may not be returned if the server finds that the
97	   requester does not have the right to assume the requested identity
98	   for searching the entry, even if the entry is within the scope of a
99	   search request under a base DN which does imply such rights. This
100	   means that fewer results, or no results, may be returned compared to
101	   the case where the proxied authorization identity issued the request
102	   directly. An example of such a case may be a system with fine-grained
103	   access control, where the proxy right requester has proxy rights at
104	   the top of a search tree, but not at or below a point or points
105	   within the tree.

107	5. Security Considerations

109	   The Proxied Authorization Control method is subject to general LDAP
110	   security considerations [LDAPV3] [AUTH] [LDAPTLS]. The control may be
111	   passed over a secure as well as over an insecure channel.

113	   The control allows for an additional authorization identity to be
114	   passed. In some deployments, these identities may contain
115	   confidential information which require privacy protection.

117	   Note that the server is responsible for determining if a proxied
118	   authorization request is to be honored. "Anonymous" users SHOULD NOT
119	   be allowed to assume the identity of others.

121	6. Copyright

123	   Copyright (C) The Internet Society (date). All Rights Reserved.

125	   This document and translations of it may be copied and furnished to
126	   others, and derivative works that comment on or otherwise explain it
127	   or assist in its implementation may be prepared, copied, published
128	   and distributed, in whole or in part, without restriction of any
129	   kind, provided that the above copyright notice and this paragraph are
130	   included on all such copies and derivative works.  However, this
131	   document itself may not be modified in any way, such as by removing
132	   the copyright notice or references to the Internet Society or other
133	   Internet organizations, except as needed for the  purpose of
134	   developing Internet standards in which case the procedures for
135	   copyrights defined in the Internet Standards process must be
136	   followed, or as required to translate it into languages other than
137	   English.

139	   The limited permissions granted above are perpetual and will not be
140	   revoked by the Internet Society or its successors or assigns.

142	   This document and the information contained herein is provided on an
143	   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
144	   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
145	   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
146	   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
147	   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

149	7. References

151	   [LDAPV3] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access
152	        Protocol (v3)", RFC 2251, December 1997.

154	   [KEYWORDS] Bradner, Scott, "Key Words for use in RFCs to Indicate
155	        Requirement Levels", draft-bradner-key-words-03.txt, January,
156	        1997.

158	    [SASL] J. Myers, "Simple Authentication and Security Layer (SASL)",
159	        RFC 2222, October 1997

161	   [AUTH] M. Wahl, H. Alvestrand, J. Hodges, R. Morgan, "Authentication
162	        Methods for LDAP", RFC 2829, May 2000

164	   [LDAPTLS] J. Hodges, R. Morgan, M. Wahl, "Lightweight Directory
165	        Access Protocol (v3): Extension for Transport Layer Security",
166	        RFC 2830, May 2000

168	   [RFC 2828] R. Shirey, "Internet Security Glossary", RFC 2828, May
169	        2000

171	8. Author's Address

173	   Rob Weltman
174	   Netscape Communications Corp.
175	   466 Ellis Street
176	   Mountain View, CA 94043
177	   USA
178	   +1 650 937-3194
179	   rweltman@netscape.com

181	9. Acknowledgements

183	   Mark Smith of Netscape Communications Corp., Mark Wahl of Sun
184	   Microsystems, Inc, Kurt Zeilenga of OpenLDAP Foundation, Jim
185	   Sermersheim of Novell, and Steven Legg of Adacel have contributed
186	   with reviews of this draft.

188	10. Revision History

190	10.1 Changes from draft-weltman-ldapv3-proxy-10.txt

192	   Clarified the interaction of proxy access rights and normal access
193	   control evaluation.

195	10.2 Changes from draft-weltman-ldapv3-proxy-09.txt

197	   Removed description of Control mechanism from Abstract.

199	   Added description of how this is different from SASL authz to the
200	   Introduction.

202	   Reworded description of the value of the control (no semantic
203	   changes).
204	   Added new result code TBD for failure to acquire proxy rights.

206	   Added references to RFCs 2829 and 2830 in Security section.

208	10.3 Changes from draft-weltman-ldapv3-proxy-08.txt

210	   Proxied Authorization Control

212	   Clarifications:  the control may not be submitted with a startTLS
213	   request; an empty controlValue implies the anonymous identity; only
214	   one control may be included with a request.

216	   Permission to execute as proxy

218	   Replaced "proxy identity" with "proxied authorization identity".

220	   Security Considerations

222	   Added statement that anonymous users should not be allowed to assume
223	   the identity of others.

225	10.4 Changes from draft-weltman-ldapv3-proxy-07.txt

227	   Proxied Authorization Control

229	   Clarification:  the content of the control is an LDAPString.

231	10.5 Changes from draft-weltman-ldapv3-proxy-06.txt

233	   None

235	10.6 Changes from draft-weltman-ldapv3-proxy-05.txt

237	   The control also applies to add and extended operations.

239	   The control value is an authorization ID, not necessarily a DN.

241	   Confidentiality concerns are mentioned.

243	10.7 Changes from draft-weltman-ldapv3-proxy-04.txt

245	   The control does not apply to bind, unbind, or abandon operations.

247	   The proxy DN is represented as a string in the control, rather than
248	   embedded in a sequence.

250	   Support for the control is published in the supportedControl
251	   attribute of the root DSE, not in supportedExtensions.

253	   The security section mentions confidentiality issues with exposing an
254	   additional identity.

256	10.8 Changes from draft-weltman-ldapv3-proxy-03.txt

258	   None

260	10.9 Changes from draft-weltman-ldapv3-proxy-02.txt

262	   The Control is now called Proxied Authorization Control, rather than
263	   Proxied Authentication Control, to reflect that no authentication
264	   occurs as a consequence of processing the Control.

266	   Rather than containing an LDAPDN as the Control value, the Control
267	   contains a Sequence (which contains an LDAPDN). This is to provide
268	   for future extensions.