RE: LDAP Access Control

[Paul Leach <paulle@microsoft.com>]

-----Original Message-----
From: Tim Howes [mailto:howes@netscape.com]
Sent: Tuesday, June 09, 1998 7:09 PM
To: ietf-ldapext@netscape.com
Subject: LDAP Access Control


>QUESTION 1: Do you believe LDAPEXT should be trying to define 
>requirements, framework, and/or a model for access control in 
>LDAP directories?

Requirements: yes, as guidelines.
Framework: yes, if by that you mean a way of identification of access
control model in use.
Model: yes, as long as it does not preclude other ones.
 
>QUESTION 2: Do you basically support the access control 
>requirements draft (draft-ietf-ldapext-acl-reqts-00.txt)?

No, and we've expressed our objections repeatedly.
 
>QUESTION 3: Do you basically support the access control model 
>draft (draft-ietf-ldapext-acl-model-00.txt)?

No. But its clear that some people like it a lot. That's one reason
for preferring a framework that would permit it to coexist with the
solutions other people like a lot.
 
>QUESTION 4: Do you think we should adopt the X.500(1993) 
>basic access control model as the starting point for the LDAP 
>access control model?

No. But it is clear that for some people, this is absolutely mandatory
and completely non-negotiable. In their context, they may be right; all I
can say is that in mine, it isn't. Another reason for preferring a
framework:
I don't have to force my choice down people's throat.
 
>QUESTION 5: Do you think we should specify only a framework 
>for identifying access control models, and not define a 
>single standards-track model for LDAP at this time?

Framework first. If we keep fighting over models, it'll take too long.
I think the disagreements show that there's not enough common experience
to create "one" standard. With a framework, we'd quickly get the "pure"
X.500
model as one choice, and a "lightweight" one as another one.

Paul