[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: LDAP ACLs

To: "'Paul Leach'" <paulle@microsoft.com>, "Williams,Ronald B" <Ronald.B.Williams@kp.ORG>, ietf-ldapext@netscape.com
Subject: RE: LDAP ACLs
From: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au>
Date: Mon, 4 May 1998 12:34:13 +1000
Delivered-to: ldapext-archive@critical-angle.com
Resent-date: Sun, 3 May 1998 19:45:46 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"BP4Yv3.0.Lp5.PlIJr"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com


> -----Original Message-----
> From:	Paul Leach [SMTP:paulle@microsoft.com]
> Sent:	Sunday, May 03, 1998 10:14 AM
> To:	Williams,Ronald B; ietf-ldapext@netscape.com
> Subject:	Re: LDAP ACLs
> 
> 
> 
> >In light of the resounding defeat of the multiple-ACL-model-support
> >resolution at the Los Angeles meeting, I find it difficult to
> understand
> >why one person's individual misunderstanding obviates the clear
> >consensus developed on that day.
> 
> Perhaps because the person who misunderstood is the chief architect
> for one of the major implementations of an LDAP compliant DS on the
> marker today.
> 
>  I believe the minutes will show that
> >the question was put clearly to the room, aside from any particular
> >arguments that may have been offered.
> 
> I do not doubt that, all other things being equal, everyone would
> prefer a single ACL model. So would I. So did the people who created
> the "single ACL models" for IMAP and ACAP. So, there isn't going to be
> a "single ACL model", no matter how the WG votes. My proposal merely
> tries to recognize that fact.
> 
	Yes - perhaps the industry does - but there is no need to
institutionalise that fact with confusing standards and apply them in
every directory implementation. The directory ACL/I standard is to
provide portability of ACI information between systems and the ability
to provide a common Authentication/ ACI policy across a number of
interconnected servers(DSAs). 

	Does it not follow that as we evolve to X.509 based systems for
authentication and signatures and these are applied to ACI models
(otherwise how does ACI work if one cannot verify the user) and the fact
that people are mobile and want to acccess a DSA system from anywhere -
that ACI needs to be consistent just like X.509 authentication
processes.

	In addition certficate path processing through different servers
may prevented by ACI for those who are not entitled to verify such paths
- this is a very useful application  ACI in a wider EC environment. ie.
Instead of applying transient CRLs - inhibit the path with an ACI system
wide policy.
	ie. ACI Standards such as X.501 would be good here.

	What we must watch for is that there is a danger that directory
systems end up with just a pile of unmanageable schema (ie. thousands of
attributes - that can be applied in any way shape or form to hundreds of
objects - which relate to network products, application servers,
application services, users, roles, mail lists, certificates, customers,
business objects, company assets - and all iter-mingled) and an access
protocol. As this will make a single access control model complex and
multiple access control regimes (and multiple applications of them) with
distributed operations across a large system impossible.

	Directories are about rapid and deterministic retrieval of
disciplined information across a distributed environment - unmanaged
schema and multiple access controls hardly enable that.

	regards alan



> >- ----------------------------------
> Paul J. Leach <paulle@microsoft.com>
> PGP Key ID: 0x978829DD
> Fingerprint: 9EFA A405 39B4 F91F DE6F 8939 6FE9 F5D8
> Key Servers: http://pgpkeys.mit.edu:11371 ldap://certserver.pgp.com
> 
>

Prev by Date: RE: Naming of ACLs - LDAP deficiencies
Next by Date: RE: Naming of ACLs, Replication etc
Index(es):
- Chronological
- Thread