[Ietf-not43] call for consensus

Andrew Newton anewton at ecotroph.net
Wed Sep 10 13:15:40 EDT 2003 

Peter Gietz wrote:
> 
> - besides criticism already rased against IRIS, I see another problem in 
> the authentication mechanisms defined or better not defined. 
> Authentication is delegated to the BEEP transport layer and there is 
> only one authentication method specified, a default server 
> authentication via TLS. AFAICS there is no client authentication 
> specified at all. As to server authentication the specification will 
> lead to interoperability problems, when it says in 6.1.:
> 
>> If a registry type does not explicitly define a server authentication
>>    method, the default method is used (see Section 6.2.

This is not correct.  Section 12 (security considerations) of the same 
document talks about the other SASL mechanisms.  In general, your 
description of the problem is an inaccurate representation of how BEEP 
works.  It supports the same SASL mechanisms that LDAP does.  Any 
criticism of them is equally transferable to LDAP.

So there is client authentication with SASL/OTP, SASL/PLAIN, 
SASL/DIGEST-MD5, etc....  As for specifying client authentication with 
TLS, I do not think that is proper for IRIS to specify as this will be 
up to the policy of each server.  And if LDAP does, then this is a 
serious problem with it.

> - A more general remark on XML databases: It will take years untill 
> native XML databases have reached the stability, performance and feature 
> richness of LDAP server implementations.

This is, at best, speculation.  And it also ignores the major arguments 
of the people on this list that will be running these servers.

First, most of the "providers" that have been chastised on this list 
already have their own databases and set of business practices around 
these databases.  To insist they change to accomodate the LDAP protocol 
seems wrong.

Second, LDAP is a protocol and the LDAP implementations of it have no 
special sauce that make them uniquely better at storing data on a disk. 
  They simply reuse existing database technologies.  Many of the more 
popular LDAP servers simply use ldbm or some variant, like gdbm or 
sleepycat.  OpenLDAP prefers SleepyCat... but look, SleepyCat now does 
XML.  So that same robust, stable, and mature LDAP datastore is now 
available to IRIS (or anything else).  The point: it is a fallacy to say 
that a database is more stable, mature, etc... because it has LDAP in 
front of it.

Finally, the timeline for mature products can probably best be judged by 
mindshare.  There is no true scientific way to judge current mindshare, 
but I like to use the Amazon.com method: 'LDAP' (33), 'XML DATABASE' 
(48), and 'XML' (559).  With 10+ years of LDAP, you'd think there'd be 
more written about it, but there isn't.

-andy

More information about the Ietf-not43 mailing list