On Jun 2, 2010, at 11:11 AM, Michael Str=F6der wrote: > [email protected] wrote: >> However, one issue I have with this code is that highly dependent =3D >> behaviors which, aside from not be standardized, aren't even = specified =3D >> in RFCs. For instance, there is no RFC describing dnsHostName or =3D >> ldapServiceName or any specification detailing how GSS-SPNEGO is to = be =3D >> used in LDAP. Without a formal specification (e.g., RFC), I oppose =3D=
>> release of this code. That is, it should stay HEAD only until such = time =3D >> that a formal specification (e.g., RFC) is available. >=20 > Kurt, I somewhat can understand your concerns. > But as a general answer to your comment above: There is already a lot = of code > in OpenLDAP for which no RFC or at least an I-D was specified but = which serves > a certain use-case. Strictly (following your statement above) speaking = one > would have to hunk out all the stuff only specified in I-Ds. An I-D would be a start. I would think there's a number of interesting = security considerations that would bubble up if someone would ever have = taken the time to submit a specification regarding use of SPNEGO in SASL = and in application protocols such as LDAP to an open standards = organization such as the IETF. > So I don't see > the strong need to be overly strict here. It's long been a stated goal of the project to promote interoperability = through open standards. This work seems more to come from a community = whose stated goal is to behave like one particular vendor. I'm not a = fan of chasing any particular vendor. > Quality of certain code is another story. But I cannot comment on = this. How can one independently verify the code acts as intended without a = specification of the intended behavior? (Saying it should act like = some particular commercial product, is not a specification.) -- Kurt >=20 > Ciao, Michael.
