[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Access Control document
> -----Original Message-----
> From: Steve Kille [SMTP:S.Kille@isode.com]
> Sent: Tuesday, February 10, 1998 7:30 PM
> To: Alan Lloyd
> Cc: ietf-ldapext@netscape.com; ietf-asid@netscape.com
> Subject: Re: Access Control document
>
> Alan,
>
> Thanks for making this suggestion. It would seem to me that IF the
> X.500
> access control meets the requirements (or meets most of them, and it
> is
> clear that it can be adapted to meet most or all of the remainder)
> then
> there is a very strong case for using it as:
> 1) It is an open standard already supported by a number of vendors
> 2) It is clearly a natural fit with LDAP, which is based on X.500
> 3) It will save the contentious work of defining something from
> scratch.
>
> I'd be interested to understand if anyone disagrees with this??
>
> It seems to me unlikely, given the extensive list of requirements,
> that a specification for Access Control which meets this list of
> requirements is going to be much simpler than the X.500 one. I can
> see a case for a very simple access control scheme, but this is just
> not
> going to arise from this requirements list.
>
> It seems to me that a useful piece of work would be to evaluate the
> X.500 access control specification (probably including the recent
> X.500(1997)
> work, which focussed on many security aspects, including extending
> access control in a number of useful ways) to see how far it meets the
> requirements that this group is developing. It would be a nonsense
> to use the X.500 specifications if they did not meet the requirements.
>
> We need to find someone to undertake this evaluation? Ideally, this
> should be someone "neutral" whose commercial postion would not be
> significantly be affected by this decision. I appreciate that it may
> be hard to find someone who is both neutral and able to do the work.
>
Yes - the issue is that to understand the full benefits of
X.500 and its ACI one would have had to have built it and deployed it -
and have a good security and operational focus. Looking at the spec only
and just imagining things about it - is not useful o rputs one in a
position to debate one way or the other. In addition - someone who is
not going to invest $$$$ in access controls would be a sticky position
debating something with those who have or will.
Access Controls - we consider that one of our crown jewels in
our DSA - its profile driven - its fast and its proven - and one can
"govern" millions of entries with minimal configuration effort.
Also it must be put in the requirements that the Authentication
process must tie in with access controls and work in a distributed
fashion - and there must be configurable and related regimes for the
system components (servers/DSAs) and their interfaces - and the users of
the directory system. ie system concepts - related to trust models.
It strikes me that one can go down the track of proving that
X.500 ACI is not quite right and produce all sorts of emotive arguments
OR one can bite the bullet and take whats there and get on with it and
discuss any areas that could be improved.
For my part - its aeroplane stuff again - ie. aeroplanes need
wings a body and and some engines. ACI needs authentication levels,
precedence, user/item application, permissions and denials and coverage
from the whole DIT down to the attribute level.
Regards alan
> Steve Kille