[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Naming of ACLs, Replication etc

To: Steve Kille <S.Kille@isode.com>, Tim Howes <howes@netscape.com>
Subject: RE: Naming of ACLs, Replication etc
From: Bruce Greenblatt <Bgreenblatt@rsa.com>
Date: Mon, 11 May 1998 11:17:39 -0700
Cc: ietf-ldapext@netscape.com
Delivered-to: ldapext-archive@critical-angle.com
Resent-date: Mon, 11 May 1998 11:17:14 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"iIz7w3.0.-r2.e2qLr"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Here's my $0.02 worth...

The ldapext WG charter
(http://www.ietf.org/html.charters/ldapext-charter.html) says "LDAPv3
defines an information model and an authentication model, allowing
information to be protected via access control. But LDAPv3 defines no
standard representation or semantic for this access control information.
This work item will be to define such a standard access control model."
about access control.  The general overview from the charter says: "LDAP
version 3 has laid a solid foundation for directory access on the Internet.
More work is needed to provide a full Internet directory service. The LDAP
Extension working group will define and standardize extensions to the LDAP
version 3 protocol and extensions to the use of LDAP on the Internet."

Nowhere in the charter does it say any of the things that Steve attributed
to it in his previous note, so maybe I'm missing something, but  I think
that the charter is just fine as it is.  I also like the approach of
attempting to define requirements for the access control model of LDAP
accessible directories
(http://www.ietf.org/internet-drafts/draft-ietf-ldapext-acl-reqts-00.txt).
I certainly wish that I'd been clever enough to think of the statement from
the objective of this document: "The major objective is to provide a simple,
but secure, highly efficient access control model for LDAP while also
providing the appropriate flexibility to meet the needs             of both
the Internet and enterprise environments and policies."  I wasn't able to
attend the LA meeting, so I don't know what went on there, but I haven't
seen anything on the mailing list that explicitly rules out using X.500
access control definitions, especially if they meet the requirements that
are laid out in the above document.  I'd also mention that Leslie Daigle's
point that the White Pages Service is a primary application for LDAP, and
whatever access control mechanism that is chosen should be aimed at
supporting this service in particular.  I'm paraphrasing her, of course, but
I think that I've come close to what she meant.

I'd (strongly) second Tim Howes proposal that Steve (or someone) should
write a draft (and submit it in textual form and not binary) that explains
the X.500 access control mechanism, and show how it meets (most) of the
requirements that are laid out in the ACL requirements draft.

Bruce

Follow-Ups:
- Re: Naming of ACLs, Replication etc
  - From: Steve Kille <S.Kille@isode.com>
- RE: Naming of ACLs, Replication etc
  - From: "David Chadwick" <d.w.chadwick@zetnet.co.uk>

Prev by Date: Re: Naming of ACLs, Replication etc
Next by Date: Re: Naming of ACLs, Replication etc
Index(es):
- Chronological
- Thread