[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: LDAP Access Control

To: "'Alan Lloyd'" <Alan.Lloyd@OpenDirectory.com.au>, "'howes@netscape.com'" <howes@netscape.com>
Subject: RE: LDAP Access Control
From: "Miklos, Sue A." <samiklo@missi.ncsc.mil>
Date: Mon, 6 Jul 1998 17:05:34 -0400
Cc: "'ietf-ldapext@netscape.com'" <ietf-ldapext@netscape.com>, "'m.wahl@innosoft.com'" <m.wahl@innosoft.com>
Delivered-to: ldapext-archive@critical-angle.com
Resent-date: Mon, 6 Jul 1998 14:05:44 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"BVoGO2.0.K03.cmJer"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

All, I believe that there are useful pieces of the X.500 model that can
be extracted to serve the majority of the user communities.  

I need (LDAP) clients that can convey 'basic' (not to be confused with
the context of X.501) information so that a server can determine what
decisions to make.  These information objects should be as consistent as
possible, so that I can reuse processes at both the client and server to
the maximum extent.  I cannot afford to have infrastructure components
that must understand and en/decode multiple permutations of the same
information.

While I cannot volunteer to write the entire draft, I will volunteer to
review / comment on anything that will help the deployment of a
certificate repository system that meets the majority needs.

Sandi Miklos 
(the opinions expressed are not necessarily that of my employer!)
>----------
>From: 	howes@netscape.com[SMTP:howes@netscape.com]
>Sent: 	Friday, July 03, 1998 1:07 PM
>To: 	Alan Lloyd
>Cc: 	ietf-ldapext@netscape.com; m.wahl@innosoft.com
>Subject: 	Re: LDAP Access Control
>
>Alan Lloyd wrote:
>> 
>> for Q4 In terms of basing the LDAP ACI work on X.500 access controls -
>> do we also assume,  that as this access control information must have "a
>> home" in a system, that X.500 system design will be followed. ie. ACI
>> must live within a management framework such as the X.500 administrative
>> points and subentries - and that ACI must be tied to authentication
>> processes ie. X.509 -
>> 
>> Does it follow then that we all assume that the LDAP work is now
>> embracing all the security and distributed system design and the DIT
>> management model aspects of X.500?
>
>I don't know. You tell me. Are you volunteering to
>write the draft? If the only way to incorporate the
>X.500 access control model is to incorporate all the
>rest of X.500, then we should stop going down this
>path right now and avoid wasting our time. On the
>other hand, if we can incorporate useful pieces of
>the X.500 access control model that solve our problem,
>we should investigate that. My impression is that we
>can do the latter, but I could be wrong.
>         -- Tim
>
>

Prev by Date: RE: Names of Object Identifiers
Next by Date: test again
Index(es):
- Chronological
- Thread