[Ietf-not43] call for consensus

Peter Gietz Peter.Gietz at daasi.de
Wed Sep 10 19:12:17 EDT 2003 


Andrew Newton wrote:

> Peter Gietz wrote:
> 
>>
>> - besides criticism already rased against IRIS, I see another problem 
>> in the authentication mechanisms defined or better not defined. 
>> Authentication is delegated to the BEEP transport layer and there is 
>> only one authentication method specified, a default server 
>> authentication via TLS. AFAICS there is no client authentication 
>> specified at all. As to server authentication the specification will 
>> lead to interoperability problems, when it says in 6.1.:
>>
>>> If a registry type does not explicitly define a server authentication
>>>    method, the default method is used (see Section 6.2.
> 
> 
> This is not correct.  Section 12 (security considerations) of the same 
> document talks about the other SASL mechanisms.  In general, your 
> description of the problem is an inaccurate representation of how BEEP 
> works.  It supports the same SASL mechanisms that LDAP does.  Any 
> criticism of them is equally transferable to LDAP.

Apologies. I simply overread section 12 in my browser :-(

I take back this whole item.

> 
> So there is client authentication with SASL/OTP, SASL/PLAIN, 
> SASL/DIGEST-MD5, etc....  As for specifying client authentication with 
> TLS, I do not think that is proper for IRIS to specify as this will be 
> up to the policy of each server.  And if LDAP does, then this is a 
> serious problem with it.

Well LDAP does describe a TLS based client authentication but not as 
mandatory to implement.

> 
>> - A more general remark on XML databases: It will take years untill 
>> native XML databases have reached the stability, performance and 
>> feature richness of LDAP server implementations.
> 
> 
> This is, at best, speculation.  And it also ignores the major arguments 
> of the people on this list that will be running these servers.
> 
> First, most of the "providers" that have been chastised on this list 
> already have their own databases and set of business practices around 
> these databases.  To insist they change to accomodate the LDAP protocol 
> seems wrong.
> 
> Second, LDAP is a protocol and the LDAP implementations of it have no 
> special sauce that make them uniquely better at storing data on a disk. 
>  They simply reuse existing database technologies.  Many of the more 
> popular LDAP servers simply use ldbm or some variant, like gdbm or 
> sleepycat.  OpenLDAP prefers SleepyCat... but look, SleepyCat now does 
> XML.  So that same robust, stable, and mature LDAP datastore is now 
> available to IRIS (or anything else).  The point: it is a fallacy to say 
> that a database is more stable, mature, etc... because it has LDAP in 
> front of it.

There is a misunderstanding of my point. I am not so much concerned with 
the data base backend but with the features that are included in the net 
protocol.

On the LDAP side we have besides search, add, modify, etc. also inbuilt 
authentication (e.g. bind), distribution (e.g. referrals) and some 
implemented mechanisms for replication (e.g. Slurpd replication daemon 
that replicates via LDAP).

On the XML database side, we don't have it, since XML itself is just a 
data format and no protocol. On the XML query language side we have a 
number of candidates. And authentication is on the transport protocol side.

Here I think the distinction between several layers in IRIS is a con if 
the client authentication works on a completely different layer than the 
XML application. In LDAP it is IMO a nice feature that you can 
authenticate by binding to a node in the data tree.

But I concede these arguments are getting more and more aesthetical.

> 
> Finally, the timeline for mature products can probably best be judged by 
> mindshare.  There is no true scientific way to judge current mindshare, 
> but I like to use the Amazon.com method: 'LDAP' (33), 'XML DATABASE' 
> (48), and 'XML' (559).  With 10+ years of LDAP, you'd think there'd be 
> more written about it, but there isn't.

This seems to me again the argument "let us do what is trendy". The use 
cases for XML is far greater than for LDAP so you cannot really compare 
these figures.

> 
> -andy
> 

-- 
_______________________________________________________________________

Peter Gietz (CEO)
DAASI International GmbH                phone: +49 7071 2970336
Wilhelmstr. 106                         Fax:   +49 7071 295114
D-72074 Tübingen                        email: peter.gietz at daasi.de
Germany                                 Web:   www.daasi.de

Directory Applications for Advanced Security and Information Management
_______________________________________________________________________

More information about the Ietf-not43 mailing list