|
rather than adding a few examples among the descriptions, I used the two given examples at the end of the new text like this:
The descriptions provided here do not fully account for result code substitutions used to prevent unauthorized disclosures (such as substitution of noSuchObject for insufficientAccessRights, or invalidCredentials for insufficientAccessRights).
This way we don't give the impression that we're either prescribing substitution, or covering all cases.
>>> "Jim Sermersheim" <jimse@novell.com> 10/23/05 11:06:48 am >>> I don't have a problem with this. Anyone else? >>> "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> 10/22/05 9:23:55 am >>> To better handle "don't disclose" provisions in authorization systems, I suggest the following changes be made to [Protocol]. In 4.1.9, after: The server should return the result code that best indicates the nature of the error encountered. add: Servers may return substitute result codes to prevent unauthorized discloses. In the appendix A, replace: Servers may substitute some result codes due to access controls which prevent their disclosure. with: The descriptions provided here do not fully account for result code substitutions to prevent unauthorized disclosures. An alternative to the latter would be to attempt to fully account for possible result code substitutions. However, given that authorization is a local matter, and hence implementors likely have a wide range of views of the kinds of information that they might want to prevent disclosure of, that seems a bit of a rat hole. However, it might be good to note some of the obvious cases (noSuchObject for insufficientAccessRights, invalidCredentials for insufficientAccessRights) in individual descriptions. - Kurt |