[Date Prev][Date Next] [Chronological] [Thread] [Top]

re: LDAP Access Control

To: ietf-ldapext@netscape.com
Subject: re: LDAP Access Control
From: rvh@qsun.ho.att.com (Richard V Huber)
Date: Mon, 15 Jun 1998 10:18:22 -0400
Delivered-to: ldapext-archive@critical-angle.com
Resent-date: Mon, 15 Jun 1998 07:22:29 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"KpszX.0.q-1.ZuIXr"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

: Hi all. It appears to Mark and me, your LDAPEXT co-chairs,
: that the ACL discussions have broken down and are no longer
: producing anything constructive. This message is our attempt
: to put things back on track. To do this effectively, we need
: your help and participation.  Please read this message
: carefully and respond to the questions posed.
: 
: We are not taking a vote, we are simply trying to gauge the
: consensus in the group. There have been several vocal views
: expressed, and we need to determine which ones (if any!) have
: the support of the group.  If this looks like rehashing of
: old ground, please bear with us one more time.  Please note
: that the reply-to on this message points to Mark and me. If
: you would like to reply to the whole list, please feel free
: to do so.
: 
: QUESTION 1: Do you believe LDAPEXT should be trying to define
: requirements, framework, and/or a model for access control in
: LDAP directories?

Yes.  Without a common access control framework, interoperation and
replication across different vendors' implmentations will be extremely
limited.

: QUESTION 2: Do you basically support the access control
: requirements draft (draft-ietf-ldapext-acl-reqts-00.txt)?

In general yes, but the 00 requirements draft is pre-Los Angeles.  I
suspect there is a revision coming that includes some of the things
that were discussed at the Los Angeles IETF.

: QUESTION 3: Do you basically support the access control model
: draft (draft-ietf-ldapext-acl-model-00.txt)?

It is extremely flexible, but seems overly complex.  I'd like to see a
bit more discussion on whether all the flexibility is needed in order
to meet the requirements.  Is there a simpler model that also meets the
requirements?

: QUESTION 4: Do you think we should adopt the X.500(1993)
: basic access control model as the starting point for the LDAP
: access control model?

I have the same answer here that I had to Question 3.  Is all the
complexity of X.500(1993) needed?  If we use X.500 for a starting
point, we should aim for a subset.  One other point - if we start with
X.500(1993), won't we soon be asked about X.500(1997)?

: QUESTION 5: Do you think we should specify only a framework
: for identifying access control models, and not define a
: single standards-track model for LDAP at this time?

This goes back to my answer to Question 1.  If there is not a single
standards-track model interoperability will be extremely limited.

: Please let us know what you think.  If nobody responds to
: these questions, we'll assume that you support the direction
: stated in the charter and worked on in the group so far,
: which is to define an LDAP access control model, and to
: support the requirements and proposed model drafts.
: 
: Tim Howes and Mark Wahl

Rick Huber

Prev by Date: Re: LDAP Access Control - comments
Next by Date: Re: LDAP Access Control
Index(es):
- Chronological
- Thread