idnits 2.17.1 draft-weltman-ldapv3-proxy-13.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 17. -- Found old boilerplate from RFC 3978, Section 5.5 on line 159. ** The document claims conformance with section 10 of RFC 2026, but uses some RFC 3978/3979 boilerplate. As RFC 3978/3979 replaces section 10 of RFC 2026, you should not claim conformance with it if you have changed to using RFC 3978/3979 boilerplate. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. ** The document seems to lack an RFC 3979 Section 5, para. 1 IPR Disclosure Acknowledgement. ** The document seems to lack an RFC 3979 Section 5, para. 2 IPR Disclosure Acknowledgement. ** The document seems to lack an RFC 3979 Section 5, para. 3 IPR Disclosure Invitation. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords -- however, there's a paragraph with a matching beginning. Boilerplate error? RFC 2119 keyword, line 79: '... The criticality MUST be present and M...' RFC 2119 keyword, line 83: '... Clients MUST include the criticalit...' RFC 2119 keyword, line 84: '... Servers MUST reject any request con...' RFC 2119 keyword, line 90: '...The controlValue SHALL be present and ...' RFC 2119 keyword, line 132: '... honored. "Anonymous" users SHOULD NOT...' Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 58 has weird spacing: '...ocument are ...' == Line 169 has weird spacing: '...for the purpo...' -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (June 2005) is 6890 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Unexpected draft version: The latest known version of draft-bradner-key-words is -02, but you're referring to -03. ** Obsolete normative reference: RFC 3377 (ref. 'LDAPV3') (Obsoleted by RFC 4510) ** Obsolete normative reference: RFC 2222 (ref. 'SASL') (Obsoleted by RFC 4422, RFC 4752) ** Obsolete normative reference: RFC 2829 (ref. 'AUTH') (Obsoleted by RFC 4510, RFC 4513) ** Obsolete normative reference: RFC 2830 (ref. 'LDAPTLS') (Obsoleted by RFC 4510, RFC 4511, RFC 4513) ** Obsolete normative reference: RFC 2251 (Obsoleted by RFC 4510, RFC 4511, RFC 4512, RFC 4513) ** Obsolete normative reference: RFC 2252 (Obsoleted by RFC 4510, RFC 4512, RFC 4517, RFC 4523) -- Duplicate reference: RFC2829, mentioned in 'RFC 2829', was also mentioned in 'AUTH'. ** Obsolete normative reference: RFC 2829 (Obsoleted by RFC 4510, RFC 4513) ** Obsolete normative reference: RFC 3383 (Obsoleted by RFC 4520) Summary: 16 errors (**), 0 flaws (~~), 3 warnings (==), 6 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 INTERNET-DRAFT Rob Weltman 3 Intended Category: Standards Track Yahoo!, Inc. 4 June 2005 6 LDAP Proxied Authorization Control 7 draft-weltman-ldapv3-proxy-13.txt 9 Status of this Memo 11 This document is an Internet-Draft and is in full conformance with 12 all provisions of Section 10 of RFC2026. 14 By submitting this Internet-Draft, each author represents that any 15 applicable patent or other IPR claims of which he or she is aware 16 have been or will be disclosed, and any of which he or she becomes 17 aware will be disclosed, in accordance with Section 6 of BCP 79. 19 Internet-Drafts are working documents of the Internet Engineering 20 Task Force (IETF), its areas, and its working groups. Note that other 21 groups may also distribute working documents as Internet-Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference 25 material or to cite them other than as "work in progress." 27 The list of current Internet-Drafts can be accessed at 28 http://www.ietf.org/1id-abstracts.html 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html 33 Abstract 35 This document defines the Lightweight Directory Access Protocol 36 (LDAP) Proxy Authorization Control. The Proxy Authorization Control 37 allows a client to request that an operation be processed under a 38 provided authorization identity instead of as the current 39 authorization identity associated with the connection. 41 1. Introduction 43 Proxy authorization allows a client to request that an operation be 44 processed under a provided authorization identity instead of as the 45 current authorization identity associated with the connection. This 46 document defines support for proxy authorization using the Control 47 mechanism [RFC 2251]. The Lightweight Directory Access Protocol 48 [LDAPV3] supports the use of the Simple Authentication and Security 49 Layer [SASL] for authentication and for supplying an authorization 50 identity distinct from the authentication identity, where the 51 authorization identity applies to the whole LDAP session. The Proxy 52 Authorization Control provides a mechanism for specifying an 53 authorization identity on a per operation basis, benefiting clients 54 that need to efficiently perform operations on behalf of multiple 55 users. 57 The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY" 58 used in this document are to be interpreted as described in 59 [KEYWORDS]. 61 2. Publishing support for the Proxy Authorization Control 63 Support for the Proxy Authorization Control is indicated by the 64 presence of the Object Identifier (OID) "2.16.840.1.113730.3.4.18" in 65 the supportedControl attribute [RFC 2252] of a server's root DSE. 67 3. Proxy Authorization Control 69 A single Proxy Authorization Control may be included in any search, 70 compare, modify, add, delete, modify DN or extended operation request 71 message with the exception of any extension that causes a change in 72 authentication, authorization, or data confidentiality [RFC 2829], 73 such as Start TLS [LDAPTLS] as part of the controls field of the 74 LDAPMessage, as defined in [RFC 2251]. 76 The controlType of the proxy authorization control is 77 "2.16.840.1.113730.3.4.18". 79 The criticality MUST be present and MUST be TRUE. This requirement 80 protects clients from submitting a request that is executed with an 81 unintended authorization identity. 83 Clients MUST include the criticality flag and MUST set it to TRUE. 84 Servers MUST reject any request containing a Proxy Authorization 85 Control without a criticality flag or with the flag set to FALSE with 86 a protocolError error. These requirements protect clients from 87 submitting a request that is executed with an unintended 88 authorization identity. 90 The controlValue SHALL be present and contain either an authzId 91 [AUTH] representing the authorization identity for the request or 92 empty if an anonymous association is to be used. 94 The mechanism for determining proxy access rights is specific to the 95 server's proxy authorization policy. 97 If the requested authorization identity is recognized by the server, 98 and the client is authorized to adopt the requested authorization 99 identity, the request will be executed as if submitted by the proxy 100 authorization identity, otherwise the result code TBD is returned. 101 [Note to the IESG/IANA/RFC Editor: the value TBD is to be replaced 102 with an IANA assigned LDAP Result Code (see RFC 3383 section 3.6] 104 4. Implementation Considerations 106 One possible interaction of proxy authorization and normal access 107 control is illustrated here for the case of search requests. During 108 evaluation of a search request, an entry which would have been 109 returned for the search if submitted by the proxy authorization 110 identity directly may not be returned if the server finds that the 111 requester does not have the right to assume the requested identity 112 for searching the entry, even if the entry is within the scope of a 113 search request under a base DN which does imply such rights. This 114 means that fewer results, or no results, may be returned compared to 115 the case where the proxy authorization identity issued the request 116 directly. An example of such a case may be a system with fine-grained 117 access control, where the proxy right requester has proxy rights at 118 the top of a search tree, but not at or below a point or points 119 within the tree. 121 5. Security Considerations 123 The Proxy Authorization Control method is subject to general LDAP 124 security considerations [RFC 2251] [AUTH] [LDAPTLS]. The control may 125 be passed over a secure as well as over an insecure channel. 127 The control allows for an additional authorization identity to be 128 passed. In some deployments, these identities may contain 129 confidential information which require privacy protection. 131 Note that the server is responsible for determining if a proxy 132 authorization request is to be honored. "Anonymous" users SHOULD NOT 133 be allowed to assume the identity of others. 135 6. IANA Considerations 137 The OID "2.16.840.1.113730.3.4.18" is reserved for the Proxy 138 Authorization Control. It is to be registered as an LDAP Protocol 139 Mechanism [RFC 3383]. 141 A result code for the case where the server does not execute a 142 request using the proxy authorization identity is to be assigned by 143 the IANA. 145 7. Copyright 147 Copyright (C) The Internet Society (2005). 149 This document is subject to the rights, licenses and restrictions 150 contained in BCP 78, and except as set forth therein, the authors 151 retain all their rights. 153 This document and the information contained herein are provided on an 154 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 155 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 156 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 157 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 158 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 159 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 161 This document and translations of it may be copied and furnished to 162 others, and derivative works that comment on or otherwise explain it 163 or assist in its implementation may be prepared, copied, published 164 and distributed, in whole or in part, without restriction of any 165 kind, provided that the above copyright notice and this paragraph are 166 included on all such copies and derivative works. However, this 167 document itself may not be modified in any way, such as by removing 168 the copyright notice or references to the Internet Society or other 169 Internet organizations, except as needed for the purpose of 170 developing Internet standards in which case the procedures for 171 copyrights defined in the Internet Standards process must be 172 followed, or as required to translate it into languages other than 173 English. 175 The limited permissions granted above are perpetual and will not be 176 revoked by the Internet Society or its successors or assigns. 178 8. Normative References 180 [KEYWORDS] Bradner, Scott, "Key Words for use in RFCs to Indicate 181 Requirement Levels", draft-bradner-key-words-03.txt, January, 182 1997. 184 [LDAPV3] Hodges, J. and R. Morgan, "Lightweight Directory Access 185 Protocol (v3): Technical Specification", RFC 3377, September 186 2002. 188 [SASL] J. Myers, "Simple Authentication and Security Layer (SASL)", 189 RFC 2222, October 1997 191 [AUTH] M. Wahl, H. Alvestrand, J. Hodges, R. Morgan, "Authentication 192 Methods for LDAP", RFC 2829, May 2000 194 [LDAPTLS] J. Hodges, R. Morgan, M. Wahl, "Lightweight Directory 195 Access Protocol (v3): Extension for Transport Layer Security", 196 RFC 2830, May 2000 198 [RFC 2251] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access 199 Protocol (v3)", RFC 2251, December 1997. 201 [RFC 2252] M. Wahl, A. Coulbeck, T. Howes, S. Kille, "Lightweight 202 Directory Access Protocol (v3): Attribute Syntax Definitions", 203 RFC 2252, December 1997 205 [RFC 2829] M. Wahl, H. Alvestrand, J. Hodges, R. Morgan, 206 "Authentication Methods for LDAP", RFC 2829, May 2000 208 [RFC 3383] K. Zeilenga, "Internet Assigned Numbers Authority (IANA) 209 Considerations for the Lightweight Directory Access Protocol 210 (LDAP)", RFC 3383, September 2002 212 9. Author's Address 214 Rob Weltman 215 Yahoo!, Inc 216 701 First Avenue 217 Sunnyvale, CA 94089 218 USA 219 +1 408 349-5504 220 robw@worldspot.com 222 10. Acknowledgements 224 Mark Smith, formerly of Netscape Communications Corp., Mark Wahl, 225 formerly of Sun Microsystems, Inc, Kurt Zeilenga of OpenLDAP 226 Foundation, Jim Sermersheim of Novell, and Steven Legg of Adacel have 227 contributed with reviews of this document.