Re: [ldapext] empty-groupOfNames-issue

Michael Ströder <michael@stroeder.com> Fri, 04 December 2015 14:11 UTC

Return-Path: <michael@stroeder.com>
X-Original-To: ldapext@ietfa.amsl.com
Delivered-To: ldapext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25BC01A872F for <ldapext@ietfa.amsl.com>; Fri, 4 Dec 2015 06:11:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.312
X-Spam-Level:
X-Spam-Status: No, score=-2.312 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U9PnEl_6Fl6H for <ldapext@ietfa.amsl.com>; Fri, 4 Dec 2015 06:11:29 -0800 (PST)
Received: from srv1.stroeder.com (srv1.stroeder.com [213.240.180.113]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E9DD1B31DB for <ldapext@ietf.org>; Fri, 4 Dec 2015 06:11:27 -0800 (PST)
Received: from srv4.stroeder.local (unknown [10.1.1.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.stroeder.local", Issuer "stroeder.com Server CA no. 2009-07" (verified OK)) by srv1.stroeder.com (Postfix) with ESMTPS id E607B1CF66; Fri, 4 Dec 2015 14:11:25 +0000 (UTC)
Received: from nb2.stroeder.local (nb2.stroeder.local [10.1.1.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by srv4.stroeder.local (Postfix) with ESMTPS id 0BC361D29F; Fri, 4 Dec 2015 14:11:22 +0000 (UTC)
To: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
References: <5661765D.6040603@stroeder.com> <20151204134757.GE3643@slab.skills-1st.co.uk>
From: Michael Ströder <michael@stroeder.com>
X-Enigmail-Draft-Status: N1110
Message-ID: <56619F0A.8060608@stroeder.com>
Date: Fri, 04 Dec 2015 15:11:22 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:42.0) Gecko/20100101 SeaMonkey/2.39
MIME-Version: 1.0
In-Reply-To: <20151204134757.GE3643@slab.skills-1st.co.uk>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms040900000007040902080706"
Archived-At: <http://mailarchive.ietf.org/arch/msg/ldapext/tJwK2_-6v8cMhW-1k2ahzdq_G2s>
Cc: ldapext <ldapext@ietf.org>
Subject: Re: [ldapext] empty-groupOfNames-issue
X-BeenThere: ldapext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: LDAP Extension Working Group <ldapext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ldapext>, <mailto:ldapext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ldapext/>
List-Post: <mailto:ldapext@ietf.org>
List-Help: <mailto:ldapext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2015 14:11:31 -0000

Andrew Findlay wrote:
> On Fri, Dec 04, 2015 at 12:17:49PM +0100, Michael Ströder wrote:
> 
>> 1. Modified standard schema descriptions for 'groupOfNames' and
>> 'groupOfUniqueNames':
>>
>> This is the work-around already chosen by various vendors:
>> The MUST member or MUST uniqueMember is turned into MAY.
>>
>> + it just works, no interop-problems seen so far.
>> + no change required in LDAP clients
>> + no change required in access control rules
>> + no change required in other client or server-side code dealing with groups
>>
>> - It violates standardization best practices, most notably IANA considerations.
>> - It could serve as a bad example to change standard schema at will.
>>
>> Hopefully Rolf Sonneveld and Andrew Findlay will clearly comment on IANA
>> considerations.
> 
> I don't think there is an IANA consideration here. The modified schema
> is (currently) incorrect according to RFC4519 or is alternatively an
> experiment leading to a proposed change to a standard. In the latter
> case it would have to be accepted by IETF and published in a new RFC
> that obsoletes 4519. At that time, IANA would update the reference in
> the Object Identifiers table to point to the new document but would have
> no other involvement.

Ok.

Do you think that a complete replacement RFC _obsoleting_ RFC 4519 would be
needed?  If the ldapext community would agree on changing the standard wouldn't
a small RFC _updating_ RFC 4519 also be sufficient?

> In practice I cannot see such a change ever being accepted into the
> standards track. If anything, the relatively wide distribution of
> non-conformant implementations makes a stronger case for deprecating
> these objectclasses for new deployments.
> 
> The definition of groupOfNames goes right back to X.521(1988) and it was
> already broken at that point:
> 
> a)	member was a mandatory attribute

Hmm, I somewhat disagree here.  But maybe I'm just too pragmatic. ;-)

> b)	Nested groups were mentioned in the text but the semantics
> 	were left undefined

Please let us keep the scope limited to the empty-groupOfNames-issue.  I'm not
keen on opening the can-of-worms on semantics of nested groups.

>> 2. new object class 'groupOfEntries'
>>
>> Andrew kindly wrote an mini I-D defining a new structural object class
>> 'groupOfEntries' simply with MAY member instead of MUST meant as direct
>> replacement for 'groupOfNames'.
>>
>> http://tools.ietf.org/html/draft-findlay-ldap-groupofentries
>>
>> + Very simple
>> + Fully compliant to standardization best practices
>>
>> - It's not clear whether it was widely adopted in deployments.
> 
> Maybe not in the exact form I described in that I-D, but functionally
> equivalent objectclasses have been in most of my customers' systems.
> It could be argued that the corrupted form of groupOfNames described
> above is actually proof of widespread deployment of an analogous class.

Hmm, the wording gets a bit blurry here.
How would you explain the clear distinction between 1. and 2.?

Ciao, Michael.