[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Extensibility of InfoResponse CreateAccountRequest PDUs

To: ietf-sacred@xxxxxxx
Subject: Extensibility of InfoResponse CreateAccountRequest PDUs
From: "Richards, Gareth" <GRichards@xxxxxxxxxxxxxxx>
Date: Wed, 16 Oct 2002 13:24:47 +0100
List-archive: <http://www.imc.org/ietf-sacred/mail-archive/>
List-id: <ietf-sacred.imc.org>
List-unsubscribe: <mailto:ietf-sacred-request@imc.org?body=unsubscribe>
Sender: owner-ietf-sacred@xxxxxxxxxxxx


The current InfoResponse and CreateAccountRequest PDUs do not appear to
easily support servers that can handle authentication mechanisms in additon
to SASL-MD5. For example, the current AuthParams returned by the
InfoResponse must contain either a DigestMD5AuthParams or a sequence of one
or more elements not in the Sacred namespace.  It is therefore not possible
to return a DigestMD5AuthParams and something else. 

A simple solution would be to redefine the types as follows:

  <complexType name="AuthParamsType"> 
    <choice maxOccurs="unbounded"> 
      <element name="DigestMD5AuthParams"> 
        <complexType> 
          <sequence> 
            <element name="Realm" type="string"  minOccurs="1"
maxOccurs="unbounded"/> 
          </sequence> 
        </complexType> 
      </element> 
      <any namespace="##other"/> 
    </choice> 
  </complexType> 

  <complexType name="AuthInfoType"> 
    <choice maxOccurs="unbounded"> 
      <element name="DigestMD5AuthInfo"> 
        <complexType> 
          <sequence> 
            <element name="PasswordVerifier" type="ds:CryptoBinary"/> 
            <element name="Realm" type="string" /> 
          </sequence> 
        </complexType> 
      </element> 
      <any namespace="##other"/> 
    </choice> 
  </complexType> 


Alternatively, the various AuthParams and AuthInfo elements could be derived
from base types.  This stricter schema would allow the parser to do type
checking on the elements contained within these PDUs where the current
version does not and so allow extra mechanisms to be added in a well defined
way.

For example, the AuthParamsType could be defined as follows:

  <complexType name="DigestMD5ParamsType"> 
    <complexContent>
      <extension base="sacred:MechanismParamsType">
        <sequence> 
          <element name="Realm" type="string"  minOccurs="1"
maxOccurs="unbounded"/> 
        </sequence> 
      </extension>
    </complexContent>
  </complexType> 

  <complexType name="MechanismParamsType">
    <attribute name="Name" type="string" use="required"/>
  </complexType>

  <complexType name="AuthParamsType"> 
    <sequence minOccurs="1" maxOccurs="unbounded"> 
      <element name="Mechanism" type="sacred:MechanismParamsType"/>
    </sequence> 
  </complexType>

Follow-Ups:
- Re: Extensibility of InfoResponse CreateAccountRequest PDUs
  - From: Stephen Farrell

Prev by Date: UploadResponse and LastModified [Was: Re: [Fwd: I-D ACTION:draft-ietf-sacred-protocol-bss-03.txt]]
Next by Date: Meet in Atlanta...
Previous by thread: UploadResponse and LastModified [Was: Re: [Fwd: I-D ACTION:draft-ietf-sacred-protocol-bss-03.txt]]
Next by thread: Re: Extensibility of InfoResponse CreateAccountRequest PDUs
Index(es):
- Date
- Thread