[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP ACLs

To: "Alan Lloyd" <Alan.Lloyd@OpenDirectory.com.au>, <ietf-ldapext@netscape.com>
Subject: Re: LDAP ACLs
From: "Paul Leach" <paulle@microsoft.com>
Date: Mon, 4 May 1998 19:12:06 -0700
Delivered-to: ldapext-archive@critical-angle.com
Resent-date: Mon, 4 May 1998 20:07:59 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"elF0x1.0.U14.AAeJr"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

-----BEGIN PGP SIGNED MESSAGE-----

- -----Original Message-----
From: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au>
Date: Sunday, May 03, 1998 7:45 PM


>> -----Original Message-----
>> From: Paul Leach [SMTP:paulle@microsoft.com]
>> Sent: Sunday, May 03, 1998 10:14 AM
>> 
>> 
>> I do not doubt that, all other things being equal, everyone would
>> prefer a single ACL model. So would I. So did the people who
created
>> the "single ACL models" for IMAP and ACAP. So, there isn't going to
be
>> a "single ACL model", no matter how the WG votes. My proposal
merely
>> tries to recognize that fact.
>> 
> Yes - perhaps the industry does - but there is no need to
>institutionalise that fact with confusing standards and apply them in
>every directory implementation. The directory ACL/I standard is to
>provide portability of ACI information between systems and the
ability
>to provide a common Authentication/ ACI policy across a number of
>interconnected servers(DSAs). 

Excuse me, those were IETF ACL standards for "single ACL model" I was
talking about. So we've already lost portability.

>
> Does it not follow that as we evolve to X.509 based systems for
>authentication and signatures and these are applied to ACI models
>(otherwise how does ACI work if one cannot verify the user) and the
fact
>that people are mobile and want to acccess a DSA system from anywhere
- -
>that ACI needs to be consistent just like X.509 authentication
>processes.

Not at all. I, as a client, can access a DSA system from anywhere as
long as I can authenticate. I do not need to be able to manage ACLs to
be able to do that.

- -------------------
Paul J. Leach <paulle@microsoft.com>
PGP Key ID: 0x978829DD
Fingerprint: 9EFA A405 39B4 F91F DE6F 8939 6FE9 F5D8
Key Servers: http://pgpkeys.mit.edu:11371 ldap://certserver.pgp.com

-----BEGIN PGP SIGNATURE-----
Version: PGP 5.5.5

iQCVAwUBNU51dcqlCdSXiCndAQFwAgP9F6DdohLxQrmIa34EevdxSB1xGFHEIaKU
0a6GLFT5iKBf6A1ffWYuJlTY8hyKF6yTJVSC36uAXC37zU773/IQWQpIp1Dr+EdT
T1JtN60HaJ3TuTB05aLF/F6aMKfTwpKni6NsYypIjIWoCaT5XT+7xybhFKsPQQGz
RNcShQvkOWo=
=lUGq
-----END PGP SIGNATURE-----

Prev by Date: RE: LDAP ACLs
Next by Date: RE: LDAP ACLs
Index(es):
- Chronological
- Thread