[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access Control document

To: "Alan Lloyd" <Alan.Lloyd@OpenDirectory.com.au>, "Steve Kille" <S.Kille@isode.com>
Subject: Re: Access Control document
From: "M.Pohlman" <coradon@ix.netcom.com>
Date: Tue, 10 Feb 1998 12:37:00 -0600
Cc: <ietf-ldapext@netscape.com>, <ietf-asid@netscape.com>, <Frank@netscape.com>, <alexis.bor@directoryworks.com>, <howes@netscape.com>, <aschwarz@uoknor.edu>, <jliedel@ford.com>
Delivered-to: ldapext-archive@critical-angle.com
Resent-date: Tue, 10 Feb 1998 09:38:38 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"hA1_R1.0.ut5.P29uq"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Alan & Steve

I would be happy to volunteer to undertake a portion of this evaluation.
While at on a recent contract at a Fortune 2 Client, Access Control was one
of the points of contention between the Pure LDAP camp which supported
products such as MS ADS and Netscape LDAP directory server and the  X.500
camp who supported products such as DataCraft and Control Data. Three
members of this group Tim Howes, Frank Chen (Netscape) And Alexis Bor
(Directory Works) are familiar with the project, the debate that took place
and the work that was produced.
	As an independent party I have no qualms about modifying the LDAP standard
to be more consistent with either X.500, NIS+ or any other established
Access Control model. However, in many ways the current standards
themselves are lacking in the realm of adaptability to client/server and
object based distributed systems.
	Given, I have the public blessing of two of the corroborating parties to
share my findings with this group (Netscape & DataCraft). I would be happy
to participate and share several months' worth of directed research into
potential LDAP/x.500 Access Control models & issues with any interested
party.

Marlin Pohlman
Coradon Consulting, Inc.

----------
> From: Steve Kille <S.Kille@isode.com>
> To: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au>
> Cc: ietf-ldapext@netscape.com; ietf-asid@netscape.com
> Subject: Re: Access Control document
> Date: Tuesday, February 10, 1998 2:29 AM
> 
> Alan,
> 
> Thanks for making this suggestion.   It would seem to me that IF the
X.500
> access control meets the requirements (or meets most of them, and it is
> clear that it can be adapted to meet most or all of the remainder) then
> there is a very strong case for using it as:
>   1) It is an open standard already supported by a number of vendors
>   2) It is clearly a natural fit with LDAP, which is based on X.500
>   3) It will save the contentious work of defining something from
>      scratch.
> 
> I'd be interested to understand if anyone disagrees with this??  
> 
> It seems to me unlikely, given the extensive list of requirements,
> that a specification for Access Control which meets this list of
> requirements is going to be much simpler than the X.500 one.   I can
> see a case for a very simple access control scheme, but this is just not
> going to arise from this requirements list.
> 
> It seems to me that a useful piece of work would be to evaluate the
> X.500 access control specification (probably including the recent
X.500(1997)
> work, which focussed on many security aspects, including extending
> access control in a number of useful ways) to see how far it meets the
> requirements that this group is developing.   It would be a nonsense
> to use the X.500 specifications if they did not meet the requirements.
> 
> We need to find someone to undertake this evaluation?  Ideally, this
> should be someone "neutral" whose commercial postion would not be
> significantly be affected by this decision.   I appreciate that it may
> be hard to find someone who is both neutral and able to do the work.
> 
> 
> 
> Steve Kille
>

Follow-Ups:
- Re: Access Control document
  - From: Steve Kille <S.Kille@isode.com>

Prev by Date: Re: Access Control document
Next by Date: Re: Access Control document
Index(es):
- Chronological
- Thread