[Date Prev][Date Next]
Re: Comments on Access Control Model - authentication levels
I note that in the 2nd edition, the word 'unauthenticated' only
appears once in X.501 as part of the non-normative Appendix K.
PF-2: General Public access may be unauthenticated, but an identity must be presented.
The word 'anonymous' does not appear at all.
At 02:35 PM 4/2/01 -0400, Richard V Huber wrote:
>I'm copying this to the LDAPBIS list since one of the comments in the
>Ellen's new BNF points out something that may be of interest. The
>specification of "none" as an authorization level comes from X.501.
>The X.501 4th edition draft says (section 220.127.116.11):
> For access control purposes, the "simple" authentication level
> requires a password; the case of identification only, with no
> password supplied, is considered "none".
>This is relevant to the discussion we had in Minneapolis concerning
>"anonymous" vs. "unauthorized". It seems to give support to the idea
>that they are NOT the same thing.
A little more (from X.501, 2nd edition, 18.104.22.168 AuthenticationLevel:
AuthenticationLevel defines the minimum requestor authentication level
required for this ACIItem. It has two forms:
? basicLevels which indicates the level of authentication, optionally qualified by
positive or negative integer localQualifier;
? other ? an externally defined measure.
When basicLevels is used, an AuthenticationLevel consisting of a level and
optional localQualifier shall be assigned to the requestor by the DSA according
to local policy. For a requestor?s authentication level to exceed a minimum
requirement, the requestor?s level must meet or exceed that specified in the
ACIItem, and in addition the requestor?s localQualifier must be arithmetically
greater than or equal to that of the ACIItem. Strong authentication of the
requestor is considered to exceed a requirement for simple or no authentication,
and simple authentication exceeds a requirement for no authentication. For access
control purposes, the ?simple? authentication level requires a password; the case
of identification only, with no password supplied, is considered ?none?.
Note the absence of an "anonymous" authentication level. This
implies to me that for the purposes of access control, "no
authentication" and "anonymous authentication" are both
authentication level "none".