[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Comments on Access Control Model - authentication levels

To: rvh@qsun.mt.att.com (Richard V Huber)
Subject: Re: Comments on Access Control Model - authentication levels
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Mon, 02 Apr 2001 12:31:02 -0700
Cc: ietf-ldapbis@OpenLDAP.org, ietf-ldapext@netscape.com, stokes@austin.ibm.com
In-reply-to: <200104021835.OAA22992@qsun.mt.att.com>

I note that in the 2nd edition, the word 'unauthenticated' only
appears once in X.501 as part of the non-normative Appendix K.
PF-2: General Public access may be unauthenticated, but an identity must be presented.
The word  'anonymous' does not appear at all.

At 02:35 PM 4/2/01 -0400, Richard V Huber wrote:
>I'm copying this to the LDAPBIS list since one of the comments in the
>Ellen's new BNF points out something that may be of interest.  The
>specification of "none" as an authorization level comes from X.501.
>
>The X.501 4th edition draft says (section 18.4.2.3):
>
>  For access control purposes, the "simple" authentication level
>  requires a password; the case of identification only, with no
>  password supplied, is considered "none".
>
>This is relevant to the discussion we had in Minneapolis concerning
>"anonymous" vs. "unauthorized".  It seems to give support to the idea
>that they are NOT the same thing.

A little more (from X.501, 2nd edition, 16.4.2.3 AuthenticationLevel:
  AuthenticationLevel defines the minimum requestor authentication level
  required for this ACIItem. It has two forms:
   ? basicLevels which indicates the level of authentication, optionally qualified by
      positive or negative integer localQualifier;
   ? other ? an externally defined measure.
  When basicLevels is used, an AuthenticationLevel consisting of a level and
  optional localQualifier shall be assigned to the requestor by the DSA according
  to local policy. For a requestor?s authentication level to exceed a minimum
  requirement, the requestor?s level must meet or exceed that specified in the
  ACIItem, and in addition the requestor?s localQualifier must be arithmetically
  greater than or equal to that of the ACIItem. Strong authentication of the
  requestor is considered to exceed a requirement for simple or no authentication,
  and simple authentication exceeds a requirement for no authentication. For access
  control purposes, the ?simple? authentication level requires a password; the case
  of identification only, with no password supplied, is considered ?none?.

Note the absence of an "anonymous" authentication level.  This
implies to me that for the purposes of access control, "no
authentication" and "anonymous authentication" are both
authentication level "none".

Kurt

References:
- Re: Comments on Access Control Model - authentication levels
  - From: rvh@qsun.mt.att.com (Richard V Huber)

Prev by Date: Re: Comments on Access Control Model - authentication levels
Next by Date: Re: interoperability of ;binary
Index(es):
- Chronological
- Thread