[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Access Control document
- To: "M.Pohlman" <coradon@ix.netcom.com>, Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au>, Steve Kille <S.Kille@isode.com>
- Subject: RE: Access Control document
- From: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au>
- Date: Wed, 11 Feb 1998 08:45:09 +1100
- Cc: ietf-ldapext@netscape.com, ietf-asid@netscape.com, Frank@netscape.com, alexis.bor@directoryworks.com, howes@netscape.com, aschwarz@uoknor.edu, jliedel@ford.com
- Delivered-to: ldapext-archive@critical-angle.com
- Resent-date: Tue, 10 Feb 1998 13:50:00 -0800 (PST)
- Resent-from: ietf-ldapext@netscape.com
- Resent-message-id: <"KxqjF3.0.HM3.7kCuq"@glacier>
- Resent-sender: ietf-ldapext-request@netscape.com
Sounds good - re the document - so please send.
regards
PS Datacraft was sold to others - the Defence/Directories part became a
new company call (music and fanfares please :-)) OpenDirectory - a
brilliant world leading supplier of excellent directory products ..
(what else would I say)
> -----Original Message-----
> From: M.Pohlman [SMTP:coradon@ix.netcom.com]
> Sent: Wednesday, February 11, 1998 5:37 AM
> To: Alan Lloyd; Steve Kille
> Cc: ietf-ldapext@netscape.com; ietf-asid@netscape.com;
> Frank@netscape.com; alexis.bor@directoryworks.com; howes@netscape.com;
> aschwarz@uoknor.edu; jliedel@ford.com
> Subject: Re: Access Control document
>
> Alan & Steve
>
> I would be happy to volunteer to undertake a portion of this
> evaluation.
> While at on a recent contract at a Fortune 2 Client, Access Control
> was one
> of the points of contention between the Pure LDAP camp which supported
> products such as MS ADS and Netscape LDAP directory server and the
> X.500
> camp who supported products such as DataCraft and Control Data. Three
> members of this group Tim Howes, Frank Chen (Netscape) And Alexis Bor
> (Directory Works) are familiar with the project, the debate that took
> place
> and the work that was produced.
> As an independent party I have no qualms about modifying the
> LDAP standard
> to be more consistent with either X.500, NIS+ or any other established
> Access Control model. However, in many ways the current standards
> themselves are lacking in the realm of adaptability to client/server
> and
> object based distributed systems.
> Given, I have the public blessing of two of the corroborating
> parties to
> share my findings with this group (Netscape & DataCraft). I would be
> happy
> to participate and share several months' worth of directed research
> into
> potential LDAP/x.500 Access Control models & issues with any
> interested
> party.
>
> Marlin Pohlman
> Coradon Consulting, Inc.
>
> ----------
> > From: Steve Kille <S.Kille@isode.com>
> > To: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au>
> > Cc: ietf-ldapext@netscape.com; ietf-asid@netscape.com
> > Subject: Re: Access Control document
> > Date: Tuesday, February 10, 1998 2:29 AM
> >
> > Alan,
> >
> > Thanks for making this suggestion. It would seem to me that IF the
> X.500
> > access control meets the requirements (or meets most of them, and it
> is
> > clear that it can be adapted to meet most or all of the remainder)
> then
> > there is a very strong case for using it as:
> > 1) It is an open standard already supported by a number of vendors
> > 2) It is clearly a natural fit with LDAP, which is based on X.500
> > 3) It will save the contentious work of defining something from
> > scratch.
> >
> > I'd be interested to understand if anyone disagrees with this??
> >
> > It seems to me unlikely, given the extensive list of requirements,
> > that a specification for Access Control which meets this list of
> > requirements is going to be much simpler than the X.500 one. I can
> > see a case for a very simple access control scheme, but this is just
> not
> > going to arise from this requirements list.
> >
> > It seems to me that a useful piece of work would be to evaluate the
> > X.500 access control specification (probably including the recent
> X.500(1997)
> > work, which focussed on many security aspects, including extending
> > access control in a number of useful ways) to see how far it meets
> the
> > requirements that this group is developing. It would be a nonsense
> > to use the X.500 specifications if they did not meet the
> requirements.
> >
> > We need to find someone to undertake this evaluation? Ideally, this
> > should be someone "neutral" whose commercial postion would not be
> > significantly be affected by this decision. I appreciate that it
> may
> > be hard to find someone who is both neutral and able to do the work.
> >
> >
> >
> > Steve Kille
> >