[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP Access Control

To: howes@netscape.com, Mark Wahl <m.wahl@critical-angle.com>
Subject: Re: LDAP Access Control
From: Steve Kille <S.Kille@isode.com>
Date: Thu, 11 Jun 1998 08:52:10 +0100
Cc: ietf-ldapext@netscape.com
Content-id: <8332.897551529.1@isode.com>
Delivered-to: ldapext-archive@critical-angle.com
In-reply-to: Your message of Wed, 10 Jun 1998 17:49:07 +0200. <199806101549.RAA01086@trurl.matematik.su.se>
Resent-date: Thu, 11 Jun 1998 00:53:20 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"9ZbJN1.0.ug6.lpuVr"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Tim, Mark,

 >><P>QUESTION 1: Do you believe LDAPEXT should be trying to define
 >><BR>requirements, framework, and/or a model for access control in
 >><BR>LDAP directories?
 >

Yes.  Working to figure out requirements is always a good thing.  I
note that this is something which IETF tends to be bad at, as active
members of WGs tend to be those who want to build solutions.

 >
 >>
 >><P>QUESTION 2: Do you basically support the access control
 >><BR>requirements draft (draft-ietf-ldapext-acl-reqts-00.txt)?
 >

This sort of thing is always helpful, so I am pleased to see the
document.  I am concerned about the bias in any requirements document
written by the same set of people who then propose a solution.   I am
happy to see this as useful input on requirements, but not as an
agreed total specification of the requirements.


 >><P>QUESTION 3: Do you basically support the access control model
 >><BR>draft (draft-ietf-ldapext-acl-model-00.txt)?
 >

No.   

 >
 >><P>QUESTION 4: Do you think we should adopt the X.500(1993)
 >><BR>basic access control model as the starting point for the LDAP
 >><BR>access control model?
 >

I think that allowing X.500(93) access control as a valid approach for
supporting LDAP is essential.   It might then make sense to define
some profiles or extension, perhaps based on initial operational
experience.  

 >
 >><P>QUESTION 5: Do you think we should specify only a framework
 >><BR>for identifying access control models, and not define a
 >><BR>single standards-track model for LDAP at this time?
 >

I think that if the WG wants to have an access control model or models
different to X.500(93), then this is the right approach.   

I think that if you want a SINGLE AGREED access control model, then
X.500(93) is the only possible option.   There is too much of the
community that wants this choice for any other single option to be viable.

I am inclined to the "let a thousand flowers bloom" school of
standards setting, and I think it makes a lot of sense for the LDAP WG
to define a framework where multiple access control standards can be
used, and then not to set any of them.   However, this would be a
waste of time if no other standards get set. 

 >



Steve

References:
- Re: LDAP Access Control
  - From: Leif Johansson <leifj@matematik.su.se>

Prev by Date: RE: LDAP Access Control
Next by Date: Re: LDAP Access Control
Index(es):
- Chronological
- Thread