I don't have a problem with this. Anyone else? >>> "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> 10/22/05 9:23:55 am >>> To better handle "don't disclose" provisions in authorization systems, I suggest the following changes be made to [Protocol]. In 4.1.9, after: The server should return the result code that best indicates the nature of the error encountered. add: Servers may return substitute result codes to prevent unauthorized discloses. In the appendix A, replace: Servers may substitute some result codes due to access controls which prevent their disclosure. with: The descriptions provided here do not fully account for result code substitutions to prevent unauthorized disclosures. An alternative to the latter would be to attempt to fully account for possible result code substitutions. However, given that authorization is a local matter, and hence implementors likely have a wide range of views of the kinds of information that they might want to prevent disclosure of, that seems a bit of a rat hole. However, it might be good to note some of the obvious cases (noSuchObject for insufficientAccessRights, invalidCredentials for insufficientAccessRights) in individual descriptions. - Kurt |