Re: LDAP ACLs

[Chris Newman <Chris.Newman@innosoft.com>]

I agree with most of what you said, Paul.

We're faced with a choice among evils:

(A) Get the LDAP, WebDAV, and IMAP/ACAP crowds together to come up with
    joint requirements and design an IETF ACL system.
Pros: Will probably have best final outcome
Cons: Will take a long time (possibly 2 or 3 years)
      We probably don't have enough field experience to do this right
      OS vendors with different models will have to add support for the
        IETF model

(B) Several mandatory-to-implement-on-client ACL systems.  Possibly add
    (A) later.
Pros: flexible
      server implementations more secure
Cons: lots of client complexity
      interoperability problems with less frequently used models
      LDAP servers with different ACL models can't interoperate for
        replication, referrals, etc.
      Introduces cross-protocol compatibility problems

(C) Design a single experimental LDAP model with the intention that it be
    replaced with (A) down the road.
Pros: Gets something to market faster
Cons: OS vendors with different models will have to add support for the
        this model and the future model
      This model will probably have to be supported for a long time after
        (A) is deployed.
      Introduces cross-protocol compatibility problems

I'm afraid (C) is the lessor of evils here.  But none of these are
appealing.

		- Chris