Re: WG Last Call: draft-ietf-ldapbis-authmeth-15.txt

Alexey Melnikov  wrote:

>> 
>Excuse me for bringing the following issue so late. There is some text

>about DIGEST-MD5 in draft-ietf-ldapbis-authmeth-15.txt that bothers
me: 
> 
>>10. SASL DIGEST-MD5 Authentication Mechanism 
>> 
>>   Support for subsequent authentication ([DIGEST-MD5] section 2.2)
is 
>>   OPTIONAL in clients and servers. 
> 
>The sentence seem to be trying to update definition of DIGEST-MD5 SASL

>mechanism. This goes against "a protocol profile SHOULD NOT attempt to

>amend the definition of mechanisms" statement in the SASL document. 
>If there is an interoperability problem due to the lack of the quoted

>sentence, then perhaps the DIGEST-MD5 document is a better place to 
>address it. 

The text in question from authmeth-15 dates back to RFC 2829, so I can
only speculate on the reason for including it. I imagine it was included
to provide the information without requiring the user to dig into the
DIGEST-MD5 document. 

With careful reading, it appears that the DIGEST-MD5 document already
states that neither client nor server is required to support subsequent
authentication even when the protocol profile allows it, so this text
does not change the intent of DIGEST-MD5. 

I can see some options:

1. Leave text as-is.  Probably not satisfactory, particularly due to
the OPTIONAL keyword being used in the sentence.

2. Modify text to remove keyword. Possible new text: "Note that
DIGEST-MD5 does not require clients or servers to support subsequent
authentication ([DIGEST-MD5] section 2.2)."

3. Remove the text altogether and let people deduce this fact by
reading [DIGEST-MD5]. 

I prefer #2 and would consider #3 if the text in [DIGEST-MD5] were made
more explicit regarding the optional nature of subsequent authentication
support.

> 
>Alexey 
 
Roger