Loading...

ietf-sasl@imc.org

[Prev] Thread [Next]  |  [Prev] Date [Next]

Request change to section 4 of sasl plain Sam Hartman Wed Apr 06 04:42:44 2005



I'm still not really happy with section 4 for the plain draft.  My
concerns still have to do with the framework implementation case.  One
way of addressing my concerns is to say that the code in section 4
does not apply to that case; the first paragraph makes it clear that
section 4 is not normative.

However I think there's a simple fix that would make me happy:
explicitly separate out the step of preparing the authorization ID.

1) Rename DeriveAuthzid to DerivePreparedAuthzid

2)   AD an else branch to the authzid == null case that calls a new function 
PrepareAuthzid

3) Pass a prepared authzid into authorize

Naturally PrepareAuthzid will be application profile or application
implementation specific.

My concern is that in the framework case I do not believe it is
generally true that the type of the output of DeriveAuthzid can be the
same domain as the type of an authzid received from the client.  For
example on Windows I'd expect DerivePreparedAuthzid to give you back a
list of sids where as the authzid coming from the client will be
application protocol specific.  

--Sam