[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Fwd: Agenda for 11 April conf call

To: Ellen Stokes <stokes@austin.ibm.com>
Subject: Re: Fwd: Agenda for 11 April conf call
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Tue, 11 Apr 2000 05:06:17 -0700
Cc: ietf-ldapext-acm@OpenLDAP.org, stokes@austin.ibm.com, djbyrne@us.ibm.com, gblakley@tivoli.com, grunt@nortelnetworks.com, jimse@novell.com, roger_harrison@novell.com, sganguly@novell.com, rbyrne@france.sun.com, usriniva@us.oracle.com, dsward@novell.com, albert.langer@neither.org, leifj@it.su.se, keith.richardson@peerlogic.com, helmut.volpers@icn.siemens.de, sanjay.jain@software.com, hsastry@us.oracle.com, sshrivas@us.oracle.com, paulle@microsoft.com, m.wahl@innosoft.com, kyungae_lim@iris.com
In-reply-to: <4.2.2.20000411062920.00a314e0@popmail2.austin.ibm.com>

As I will not be able to participate in tomorrow's
conference call, a few comments:

>>- Agenda bashing (5 min)
>>- Moving forward:  Rob Byrne?s note (10 min)

As previously noted, I do not object to tabling the "REQUIRED"
vs "RECOMMENDED" vs "OPTIONAL" discussion for now.

>>- Granularity of ?write? permission (need consensus) (10 min)
>>         - includes all facets of ldap modify operation, or
>>         - separate into modify/add, modify/delete, ?

I prefer "write" be "includes all facets of LDAP update
operations which add/replace/delete or otherwise update attributes
of entries."  (this would include facets of add, modify, moddn,
and extension operations).

>>- Add ?authenticated? pseudo-user (need consensus); also strength of 
>>authentication? (10 min)

No objection to adding 'authenticated'.  As far as auth strength
goes, I am not warm to adding this.  In particular, will the
spec detail which mechanisms are of what strength?  What happens
when a SASL mechanisms is replaced (say due to a significant
flaw), are we forced to update the RFC detailing strengths.
Due we provide guideslines and leave it up to implementations
(behavior will differ between replicas).  Alternative, one
could axe "strength" with specific authentication method.  This
approach has it's usability drawbacks and maybe some special
security considerations.

I do however suggest adding "privacy" and "integrity" parameters
to ACI.  Same issues apply above.  However, I believe here there
is, IMO, a high level demand from the LDAP community to provide such
parameters.

>>- Should user need both ?add?(object) and ?write? (attributes) to add a 
>>DN/objects and its attributes?  (need consensus) (10 min)

Yes.  See above comment regarding 'write'.

>>- Next week (4/18):
>>         - KerberosID format:  look at generalization aligned with 
>> authmeth format (proposal from Kurt/Leif)
>>         - Collections (proposal from Debbie)
>>         - What is contained in the aci subentry:  aclMechanisms or also 
>> ldapACI that apply to scope of subentry / naming context?
>>
>>I have proposals KerberosID format / authmeth alignment and 
>>collections.  I'll be sending those out after the conference
>>call.  Let's try to work on these email to see if we can close these items 
>>by the 4/18 conf call.
>>
>>Ellen
>
>

Prev by Date: Re: LDAP ACL Architecture
Next by Date: ACL Model (Section 2)
Index(es):
- Chronological
- Thread