[Date Prev][Date Next] [Chronological] [Thread] [Top]

Reply to LDAP Access Control

To: howes@netscape.com, Mark Wahl <m.wahl@critical-angle.com>
Subject: Reply to LDAP Access Control
From: James.D.Reed@cdc.com
Date: Wed, 17 Jun 98 11:51:15 -0500
Cc: ietf-ldapext@netscape.com
Default-recipient-options: report nonreceipt, no reply, return content
Delivered-to: ldapext-archive@critical-angle.com
Delivery-options: allow alternate recipients, return content, allow conversion, mask P1 recipients
Importance: normal
In-reply-to: Your message of "Tue, 09 Jun 98 19:08:55 PDT" <357DEAB7.696B6654@netscape.com>
Resent-date: Wed, 17 Jun 1998 11:54:18 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"xPjh43.0.xj2.P31Yr"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com
Sensitivity: personal


Body-Part: 2; Text ------------------------------------------------------


>Hi all. It appears to Mark and me, your LDAPEXT co-chairs,
>that the ACL discussions have broken down and are no longer
>producing anything constructive. This message is our attempt
>to put things back on track. To do this effectively, we need
>your help and participation. Please read this message
>carefully and respond to the questions posed.
>
>We are not taking a vote, we are simply trying to gauge the
>consensus in the group. There have been several vocal views
>expressed, and we need to determine which ones (if any!) have
>the support of the group. If this looks like rehashing of
>old ground, please bear with us one more time. Please note
>that the reply-to on this message points to Mark and me. If
>you would like to reply to the whole list, please feel free
>to do so.
>
>QUESTION 1: Do you believe LDAPEXT should be trying to define
>requirements, framework, and/or a model for access control in
>LDAP directories?
>

Requirements, framework and a base model should be defined.  The
model should define a common access control solution to be supported
by LDAP server all implementations.  The framework should define the
structure upon which the common access control solution and possibly
registered alternative solutions operate.  If the framework is 
sufficiently specified, then translation between different access
control models should be possible.  The requirements should 
define, using well reasoned usage cases, the set of access control
functions necessary in the framework.

>QUESTION 2: Do you basically support the access control
>requirements draft (draft-ietf-ldapext-acl-reqts-00.txt)?
>

No.  Many of the requirements are highly subjective, e.g. "...MUST be
easy to understand..." and "When in doubt, safer is better..." and
unusable for creating a solution.  All have no supporting use cases
or documentation.  It would be better if the majority of the requirements
document was organized by LDAP server use cases: e.g., requirements for
an open,public domain service, requirements for a moderately secured
service, requirements for a highly secured, government service etc. so
that the requirements could be seen in terms of actual use.

>QUESTION 3: Do you basically support the access control model
>draft (draft-ietf-ldapext-acl-model-00.txt)?
>

No.  The solution is inferior to the 1993 X.500 access controls.
To my knowledge, the X.500 access controls were based, in part,
from US Government security requirements.  The editor of the
X.500 access control specifications, Michael Ransom then of NIST,
also acted as a conduit for Government requirements so that the
X.500 solution would satisfy Government needs.  There is as yet
no supporting documents upon with the draft LDAP access control
document stands.  I would highly recommend investigating what
Government requirements were used as part of the basis for the
X.500 access controls.

>QUESTION 4: Do you think we should adopt the X.500(1993)
>basic access control model as the starting point for the LDAP
>access control model?
>

For the reasons suggested above, X.500 should be the main starting
point for an LDAP framework unless well supported requirements
(i.e., changes in Government policy) dictate otherwise.

>QUESTION 5: Do you think we should specify only a framework
>for identifying access control models, and not define a
>single standards-track model for LDAP at this time?
>

Both.

>Please let us know what you think. If nobody responds to
>these questions, we'll assume that you support the direction
>stated in the charter and worked on in the group so far,
>which is to define an LDAP access control model, and to
>support the requirements and proposed model drafts.
>
>Tim Howes and Mark Wahl

Thanks, Jim Reed
	Control Data Systems.

References:
- LDAP Access Control
  - From: Tim Howes <howes@netscape.com>

Prev by Date: Re: X.500 vs. LDAP ACL MODEL PROPOSAL comparison
Next by Date: Names of Object Identifiers
Index(es):
- Chronological
- Thread