Defect report 073 on simple credentials (fwd)

["John H. Dale" <jdale@tango.cos.com>]

Forwarded message:
From jdale Wed Jan  6 12:22:50 1993
From: jdale (John H. Dale)
Message-Id: <9301061722.AA10966@tango.cos.com>
Subject: Defect report 073 on simple credentials
To: dssig@ics.uci.edu (OIW DS SIG)
Date: Wed, 6 Jan 93 12:21:58 EST
X-Mailer: ELM [version 2.3 PL6]

This defect report has a bearing on the ISP parts ADI11, ADI12, ADI21,
and ADI22, which we are trying to stabilize before the EWOS EG-DIR
meeting on January 18 for the ratification process can begin. (ADI11
will probably be delayed.)  First, I provide excepts from the defect
report, then some comments, including proposed modifications to ADI12.  
As I understand it, no action has yet been taken on this defect report.
Hope I don't make type errors.  Feel free to ask for a fax of the
original.

Defect Report 9594/073
Source: UK (BSI)
Concerning X.511 and 9594-3
Qualifier: Clarification
References in Document: 7.9.2.2 [probably should be 8.1.3.1 -jd]
Nature of Defect:
The last sentence can be interpreted as saying that if a user
supplies no credentials (e.g., omits the element), then the DSA
must also return no credentials.  This is in conflict with the
first sentence, which (sensibily) "allow[s] the user to establish
the identity of the DSA", and also conflicts with the view that
returning no credentials is logically a form of simple credentials.
It is certianly acceptable that the DSA should be denied the
possibility of identifying itself to a user (even an unidentified
one).
Solution proposed by the source:
Replace the last sentence of 8.1.3.1 with a clearer statement:
The form of the credentials element shall correspond to that
supplied by the user according to the following rules:
-If the user supplies no credentials element or uses the
 simple choice for Credentials in DirectoryBindArgument, the
 DSA shall either supply no credentials or use the simple choice
 in the credentials element of DirectoryBindResult.
-If the user users the strong choice for Credentials in
 DirectoryBindArguement, the DSA shall use the strong choice
 for Credentials in DirectoryBindResult.
-If the use used the externalProcedure choice for Credentials in
 DirectoryBindArguments, the DSA shall use the externalProcedure
 choice for Credentials in DirectoryBindArgument.

Comments with respect to ISP:
The suggested text lines up with my interpretation of the 
base standard, and I think it will be needed for the directory.
There was some objection to putting this in the ISP, for reasons
I never understood.  Right now, I don't know whether to put
it back in or not.  But I thought it important that we understand
that it may be come the 'official' interpretation of the standard.

Should it go into the ISP?  ISPs are supposed to provide the
interpretations necessary to assure interworking, and in my opinion,
such a clarification is needed for that purpose.  So ideally, we
would put the text in, or cite the defect report if approved.  However,
there is little time to deal with the earlier, unexplained (as I recall)
objections that caused us (or at least me) to back off earlier.

Suggestions?
-- 
John H. Dale  fax +1-703-846-8590  COS, 8260 Willow Oaks Corporate Dr.,
jdale@cos.com tel +1-703-205-2742  Suite 700, Fairfax, VA  22031


-- 
John H. Dale  fax +1-703-846-8590  COS, 8260 Willow Oaks Corporate Dr.,
jdale@cos.com tel +1-703-205-2742  Suite 700, Fairfax, VA  22031