Document: draft-weltman-ldapv3-proxy-12.txt Reviewer: Spencer Dawkins Date: March 13, 2004 Reviewer's summary: "Mostly harmless". Reasonable functionality, reasonably clear, doesn't break anything that I know about. "This draft is basically ready for publication, but has nits that should be fixed before publication.? Amazing that the first version of this I-D came out in 1997. Does it really take a year and a half per page to publish a Proposed Standard? But I should ask this on NEWTRK, not on GEN-ART... A few minor text changes follow... Spencer 3. Proxy Authorization Control A single Proxy Authorization Control may be included in any search, compare, modify, add, delete, modify DN or extended operation request message with the exception of any extension that causes a change in authentication, authorization, or data confidentiality [RFC 2829], such as Start TLS [LDAPTLS] as part of the controls field of the LDAPMessage, as defined in [RFC 2251]. Spencer: I know it's an editorial nit, but "as part of" completes a phrase that left off SIX COMMAS earlier. Suggest alternative text as "A single Proxy Authorization Control may be included in any search, compare, modify, add, delete, modify DN or extended operation request message as part of the controls field of the LDAPMessage, as defined in [RFC 2251], with the exception of any extension that causes a change in authentication, authorization, or data confidentiality [RFC 2829], such as Start TLS [LDAPTLS]." ... The controlValue SHALL be present and contain either an authzId [AUTH] representing the authorization identity for the request or Spencer: "or SHALL be empty..." empty if an anonymous association is to be used. Spencer: "anonymous authorization identity"? ... If the requested authorization identity is recognized by the server, and the client is authorized to adopt the requested authorization identity, the request will be executed as if submitted by the proxy authorization identity, otherwise the result code TBD is returned. Spencer: I'm new to the world of IANA LDAP result codes, but wouldn't you expect to see a proposed name for this result code in this document? Also in IANA Considerations section later on... [Note to the IESG/IANA/RFC Editor: the value TBD is to be replaced with an IANA assigned LDAP Result Code (see RFC 3383 section 3.6] ... 5. Security Considerations ... Note that the server is responsible for determining if a proxy authorization request is to be honored. "Anonymous" users SHOULD NOT be allowed to assume the identity of others. Spencer: It seems like this restriction should appear a lot earlier in the specification - it's an implementation consideration, not ("just") a security consideration... ... 8. Normative References [KEYWORDS] Bradner, Scott, "Key Words for use in RFCs to Indicate Requirement Levels", draft-bradner-key-words-03.txt, January, 1997. Spencer: Scott says this wins the plaid bunny award for most outdated reference in an ID this year - should be "RFC 2119", right?