[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: mapping identities RE: Compromise Authentication Proposal

To: 'Ed Reed' <ed_reed@novell.com>, Chris.Oliva@entrust.com, ietf-ldapext@netscape.com
Subject: RE: mapping identities RE: Compromise Authentication Proposal
From: Paul Leach <paulle@microsoft.com>
Date: Fri, 09 Oct 1998 15:03:33 -0700
Resent-date: Fri, 09 Oct 1998 15:04:37 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"8yxPI3.0.QC3.pXe7s"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com


> -----Original Message-----
> From: Ed Reed [mailto:ed_reed@novell.com]
> Sent: Friday, October 09, 1998 2:10 PM
> To: Chris.Oliva@entrust.com; ietf-ldapext@netscape.com
> Subject: RE: mapping identities RE: Compromise Authentication Proposal
> 
> 
> For a variety of reasons, some implementation specific, some 
> foundationally conceptual, I very much want to keep any 
> access control policy that we wind up with internally 
> consistent.  Doing that implies that names which are granted 
> rights must be DNs known (meaning resolveable) to the LDAP 
> namespace to which they're granted rights.

Other name forms than DNs are resolvable. Any attribute of an entry that is
unique is resolvable.

I think we got a layering violation here. Application protocols don't define
security principals -- security protocols do. If this WG wants to go to the
CAT WG and ask for a Kerberos name form for DNs, they are welcome to do so.
But until they do, we can't say that any authentication protocol has to
support DNs for the user name. What we _can_ say (because we do directories)
is that _the directory_ has to be able to map any user name form used in an
authentication protocol into a DN.

Paul

Prev by Date: RE: mapping identities RE: Compromise Authentication Proposal
Next by Date: RE: mapping identities RE: Compromise Authentication Proposal
Index(es):
- Chronological
- Thread