[Date Prev][Date Next] [Chronological] [Thread] [Top]

authorization (was: protocol-22 comments)

To: Jim Sermersheim <jimse@novell.com>
Subject: authorization (was: protocol-22 comments)
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Fri, 7 May 2004 21:16:28 +0200
Cc: ietf-ldapbis@OpenLDAP.org
In-reply-to: <s0800678.096@sinclair.provo.novell.com>
References: <s0800678.096@sinclair.provo.novell.com>

Jim Sermersheim writes:
>>>>>Hallvard B Furuseth <h.b.furuseth@usit.uio.no> 3/9/04 7:20:19 AM
>>>>
>>> 4.2. Bind Operation

>>Here is a suggestion, though it's a bit long. Maybe the last sentence
>>should be dropped.
>>
>> Authorization is the decision of which access an operation has to
>> the directory. It may be affected by many factors, (...)
> 
> I like the change but it still seems too specific. How about:
>  
> Authorization is the process of enforcing policy while performing
> operations.

I prefer my variant of that sentence.  A lot of policy is not
authorization, e.g.:
  which bind methods and SASL mechanisms to allow,
  parts of the the password policy internet-draft,
  how to protect against denial of service attacks,
  server-side size/time limits,
  whether and when to time out idle connections.

The rest of your text is much better than my suggestion.

> Among other things, the process of authorization takes as
> input authentication information obtained during the bind operation
> and/or other acts of authentication (such as lower layer security
> services).

-- 
Hallvard

Prev by Date: Re: control combination was: Re: protocol-22 comments)
Next by Date: Re: Active Directory question
Index(es):
- Chronological
- Thread