idnits 2.17.1 

draft-weltman-ldapv3-proxy-12.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** Looks like you're using RFC 2026 boilerplate.  This must be updated to
     follow RFC 3978/3979, as updated by RFC 4748.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  ** The document seems to lack a 1id_guidelines paragraph about
     Internet-Drafts being working documents -- however, there's a paragraph
     with a matching beginning. Boilerplate error?

  ** The document seems to lack a 1id_guidelines paragraph about 6 months
     document validity -- however, there's a paragraph with a matching
     beginning. Boilerplate error?


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The document seems to lack a both a reference to RFC 2119 and the
     recommended RFC 2119 boilerplate, even if it appears to use RFC 2119
     keywords -- however, there's a paragraph with a matching beginning.
     Boilerplate error?

     RFC 2119 keyword, line 75: '... The criticality MUST be present and M...'
     RFC 2119 keyword, line 79: '...The controlValue SHALL be present and ...'
     RFC 2119 keyword, line 121: '... honored. "Anonymous" users SHOULD NOT...'


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == Line 54 has weird spacing: '...ocument  are  ...'

  == Line 146 has weird spacing: '...for the  purpo...'

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (April 2003) is 7681 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  -- Unexpected draft version: The latest known version of 
     draft-bradner-key-words is -02, but you're referring to -03.

  ** Obsolete normative reference: RFC 3377 (ref. 'LDAPV3') (Obsoleted by RFC
     4510)

  ** Obsolete normative reference: RFC 2222 (ref. 'SASL') (Obsoleted by RFC
     4422, RFC 4752)

  ** Obsolete normative reference: RFC 2829 (ref. 'AUTH') (Obsoleted by RFC
     4510, RFC 4513)

  ** Obsolete normative reference: RFC 2830 (ref. 'LDAPTLS') (Obsoleted by
     RFC 4510, RFC 4511, RFC 4513)

  ** Obsolete normative reference: RFC 2251 (Obsoleted by RFC 4510, RFC 4511,
     RFC 4512, RFC 4513)

  ** Obsolete normative reference: RFC 2252 (Obsoleted by RFC 4510, RFC 4512,
     RFC 4517, RFC 4523)

  -- Duplicate reference: RFC2829, mentioned in 'RFC 2829', was also
     mentioned in 'AUTH'.

  ** Obsolete normative reference: RFC 2829 (Obsoleted by RFC 4510, RFC 4513)

  ** Obsolete normative reference: RFC 3383 (Obsoleted by RFC 4520)


     Summary: 12 errors (**), 0 flaws (~~), 2 warnings (==), 4 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	INTERNET-DRAFT                                               Rob Weltman
3	Intended Category: Standards Track         Netscape Communications Corp.
4	                                                              April 2003

6	                   LDAP Proxied Authorization Control
7	                   draft-weltman-ldapv3-proxy-12.txt

9	Status of this Memo

11	   This document is an Internet-Draft and is in full conformance with
12	   all provisions of Section 10 of RFC2026.

14	   Internet-Drafts are working documents of the Internet Task Force
15	   (IETF), its areas, and its working groups.  Note that other groups
16	   may also distribute working documents as Internet-Drafts.

18	   Internet-Drafts are draft documents valid for a maximum of six months
19	   and may be updated, replaced, or obsoleted by other documents at any
20	   time.  It is inappropriate to use Internet Drafts as reference
21	   material or to cite them other than as "work in progress."

23	   The list of current Internet-Drafts can be accessed at
24	   http://www.ietf.org/ietf/1id-abstracts.txt

26	   The list of Internet-Draft Shadow Directories can be accessed at
27	   http://www.ietf.org/shadow.html.

29	Abstract

31	   This document defines the Lightweight Directory Access Protocol
32	   (LDAP) Proxy Authorization Control. The Proxy Authorization Control
33	   allows a client to request that an operation be processed under a
34	   provided authorization identity instead of as the current
35	   authorization identity associated with the connection.

37	1. Introduction

39	   Proxy authorization allows a client to request that an operation be
40	   processed under a provided authorization identity instead of as the
41	   current authorization identity associated with the connection. This
42	   document defines support for proxy authorization using the Control
43	   mechanism [RFC 2251]. The Lightweight Directory Access Protocol
44	   [LDAPV3] supports the use of the Simple Authentication and Security
45	   Layer [SASL] for authentication and for supplying an authorization
46	   identity distinct from the authentication identity, where the
47	   authorization identity applies to the whole LDAP session. The Proxy
48	   Authorization Control provides a mechanism for specifying an
49	   authorization identity on a per operation basis, benefiting clients
50	   that need to efficiently perform operations on behalf of multiple
51	   users.

53	   The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY"
54	   used in this document  are  to be interpreted as described in
55	   [KEYWORDS].

57	2. Publishing support for the Proxy Authorization Control

59	   Support for the Proxy Authorization Control is indicated by the
60	   presence of the Object Identifier (OID) "2.16.840.1.113730.3.4.18" in
61	   the supportedControl attribute [RFC 2252] of a server's root DSE.

63	3. Proxy Authorization Control

65	   A single Proxy Authorization Control may be included in any search,
66	   compare, modify, add, delete, modify DN or extended operation request
67	   message with the exception of any extension that causes a change in
68	   authentication, authorization, or data confidentiality [RFC 2829],
69	   such as Start TLS [LDAPTLS] as part of the controls field of the
70	   LDAPMessage, as defined in [RFC 2251].

72	   The controlType of the proxy authorization control is
73	   "2.16.840.1.113730.3.4.18".

75	   The criticality MUST be present and MUST be TRUE. This requirement
76	   protects clients from submitting a request that is executed with an
77	   unintended authorization identity.

79	   The controlValue SHALL be present and contain either an authzId
80	   [AUTH] representing the authorization identity for the request or
81	   empty if an anonymous association is to be used.

83	   The mechanism for determining proxy access rights is specific to the
84	   server's proxy authorization policy.

86	   If the requested authorization identity is recognized by the server,
87	   and the client is authorized to adopt the requested authorization
88	   identity, the request will be executed as if submitted by the proxy
89	   authorization identity, otherwise the result code TBD is returned.
90	   [Note to the IESG/IANA/RFC Editor: the value TBD is to be replaced
91	   with an IANA assigned LDAP Result Code (see RFC 3383 section 3.6]

93	4. Implementation Considerations

95	   One possible interaction of proxy authorization and normal access
96	   control is illustrated here for the case of search requests. During
97	   evaluation of a search request, an entry which would have been
98	   returned for the search if submitted by the proxy authorization
99	   identity directly may not be returned if the server finds that the
100	   requester does not have the right to assume the requested identity
101	   for searching the entry, even if the entry is within the scope of a
102	   search request under a base DN which does imply such rights. This
103	   means that fewer results, or no results, may be returned compared to
104	   the case where the proxy authorization identity issued the request
105	   directly. An example of such a case may be a system with fine-grained
106	   access control, where the proxy right requester has proxy rights at
107	   the top of a search tree, but not at or below a point or points
108	   within the tree.

110	5. Security Considerations

112	   The Proxy Authorization Control method is subject to general LDAP
113	   security considerations [RFC 2251] [AUTH] [LDAPTLS]. The control may
114	   be passed over a secure as well as over an insecure channel.

116	   The control allows for an additional authorization identity to be
117	   passed. In some deployments, these identities may contain
118	   confidential information which require privacy protection.

120	   Note that the server is responsible for determining if a proxy
121	   authorization request is to be honored. "Anonymous" users SHOULD NOT
122	   be allowed to assume the identity of others.

124	6. IANA Considerations

126	   The OID "2.16.840.1.113730.3.4.18" is reserved for the Proxy
127	   Authorization Control. It is to be registered as an LDAP Protocol
128	   Mechanism [RFC 3383].

130	   A result code for the case where the server does not execute a
131	   request using the proxy authorization identity is to be assigned by
132	   the IANA.

134	7. Copyright

136	   Copyright (C) The Internet Society (date). All Rights Reserved.

138	   This document and translations of it may be copied and furnished to
139	   others, and derivative works that comment on or otherwise explain it
140	   or assist in its implementation may be prepared, copied, published
141	   and distributed, in whole or in part, without restriction of any
142	   kind, provided that the above copyright notice and this paragraph are
143	   included on all such copies and derivative works.  However, this
144	   document itself may not be modified in any way, such as by removing
145	   the copyright notice or references to the Internet Society or other
146	   Internet organizations, except as needed for the  purpose of
147	   developing Internet standards in which case the procedures for
148	   copyrights defined in the Internet Standards process must be
149	   followed, or as required to translate it into languages other than
150	   English.

152	   The limited permissions granted above are perpetual and will not be
153	   revoked by the Internet Society or its successors or assigns.

155	   This document and the information contained herein is provided on an
156	   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
157	   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
158	   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
159	   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
160	   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

162	8. Normative References

164	   [KEYWORDS] Bradner, Scott, "Key Words for use in RFCs to Indicate
165	        Requirement Levels", draft-bradner-key-words-03.txt, January,
166	        1997.

168	   [LDAPV3] Hodges, J. and R. Morgan, "Lightweight Directory Access
169	        Protocol (v3): Technical Specification", RFC 3377, September
170	        2002.

172	   [SASL] J. Myers, "Simple Authentication and Security Layer (SASL)",
173	        RFC 2222, October 1997

175	   [AUTH] M. Wahl, H. Alvestrand, J. Hodges, R. Morgan, "Authentication
176	        Methods for LDAP", RFC 2829, May 2000

178	   [LDAPTLS] J. Hodges, R. Morgan, M. Wahl, "Lightweight Directory
179	        Access Protocol (v3): Extension for Transport Layer Security",
180	        RFC 2830, May 2000

182	   [RFC 2251] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access
183	        Protocol (v3)", RFC 2251, December 1997.

185	   [RFC 2252] M. Wahl, A. Coulbeck, T. Howes, S. Kille, "Lightweight
186	        Directory Access Protocol (v3): Attribute Syntax Definitions",
187	        RFC 2252, December 1997

189	   [RFC 2829] M. Wahl, H. Alvestrand, J. Hodges, R. Morgan,
190	        "Authentication Methods for LDAP", RFC 2829, May 2000

192	   [RFC 3383] K. Zeilenga, "Internet Assigned Numbers Authority (IANA)
193	        Considerations for the Lightweight Directory Access Protocol
194	        (LDAP)", RFC 3383, September 2002

196	9. Author's Address

198	   Rob Weltman
199	   Netscape Communications Corp.
200	   360 W. Caribbean Drive
201	   Sunnyvale, CA 94089
202	   USA
203	   +1 650 937-3194
204	   rweltman@netscape.com

206	10. Acknowledgements

208	   Mark Smith of Netscape Communications Corp., Mark Wahl of Sun
209	   Microsystems, Inc, Kurt Zeilenga of OpenLDAP Foundation, Jim
210	   Sermersheim of Novell, and Steven Legg of Adacel have contributed
211	   with reviews of this document.