[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access Control document

To: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au>
Subject: Re: Access Control document
From: Steve Kille <S.Kille@isode.com>
Date: Tue, 10 Feb 1998 08:29:42 +0000
Cc: ietf-ldapext@netscape.com, ietf-asid@netscape.com
Content-id: <20746.887099381.1@isode.com>
Delivered-to: ldapext-archive@critical-angle.com
In-reply-to: Your message of Tue, 10 Feb 1998 12:25:56 +1100. <D1A949D4508DD1119C8100400533BEDCA892@mail.opendirectory.com.au>
Resent-date: Tue, 10 Feb 1998 00:30:54 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"4iUYI.0.kC.z01uq"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Alan,

Thanks for making this suggestion.   It would seem to me that IF the X.500
access control meets the requirements (or meets most of them, and it is
clear that it can be adapted to meet most or all of the remainder) then
there is a very strong case for using it as:
  1) It is an open standard already supported by a number of vendors
  2) It is clearly a natural fit with LDAP, which is based on X.500
  3) It will save the contentious work of defining something from
     scratch.

I'd be interested to understand if anyone disagrees with this??  

It seems to me unlikely, given the extensive list of requirements,
that a specification for Access Control which meets this list of
requirements is going to be much simpler than the X.500 one.   I can
see a case for a very simple access control scheme, but this is just not
going to arise from this requirements list.

It seems to me that a useful piece of work would be to evaluate the
X.500 access control specification (probably including the recent X.500(1997)
work, which focussed on many security aspects, including extending
access control in a number of useful ways) to see how far it meets the
requirements that this group is developing.   It would be a nonsense
to use the X.500 specifications if they did not meet the requirements.

We need to find someone to undertake this evaluation?  Ideally, this
should be someone "neutral" whose commercial postion would not be
significantly be affected by this decision.   I appreciate that it may
be hard to find someone who is both neutral and able to do the work.



Steve Kille

Follow-Ups:
- Re: Access Control document
  - From: dboreham@netscape.com (David Boreham)

References:
- Access Control document
  - From: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au>

Prev by Date: Access Control document
Next by Date: Re: Access Control document
Index(es):
- Chronological
- Thread