[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: grant / deny precedenceindraft-ietf-ldapext-acl-model-04.txt

To: David Ward <DSWARD@novell.com>
Subject: Re: grant / deny precedenceindraft-ietf-ldapext-acl-model-04.txt
From: "Daniel A. Oliver" <daoliver@cisco.com>
Date: Fri, 15 Oct 1999 08:56:10 -0700
Cc: samiklo@missi.ncsc.mil, mcs@netscape.com, ietf-ldapext@netscape.com, "Subbu K. K." <KKSUBRAMANIAM@novell.com>
Organization: ou=nsmbu.ou=splob.o=cisco
References: <s806f357.089@prv-mail20.provo.novell.com>
Resent-date: Fri, 15 Oct 1999 08:55:28 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"DjEhv.A.rpG.j50B4"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com


David Ward wrote:

> I agree there are two items and I agree with the proposed defaults.
> >>> Mark Smith <mcs@netscape.com> 10/15/99 8:48:48 AM >>>
> > "Miklos, Sue A." wrote:
> > I agree that the model should have a consistent default condition.  I
> > also prefer that the default be "deny" and that only after all rights
> > necessary have been validated, should a "grant" condition occur.
> To clarify, I think there are two different items for discussion:
>
> a) Default access: in the absence of any access control rules, what
> access is granted?  I think the answer should be "none" since this is
> the safest default.
>

Agreed.

Looking at this from the customer's perspective (customers such as legal,
educational, and/or government organizations), defaulting access to "none"
is a critical requirement.

In the event that a new server is being installed into a production
environment containing controlled data, defaulting to a
'front-page-of-the-New-York-Times' security level represents a tremendous
risk.

- just my $0.02


>
> b) Precedence of grant and deny: when a "grant" and a "deny" clause both
> apply, is access granted or denied?  I think access should be denied,
> which is to say that "denies" win out over "grants."

ditto

>
> --
> Mark Smith
> iPlanet Directory Architect / Sun-Netscape Alliance
> My words are my own, not my employer's.   Got LDAP?

begin:vcard 
n:Oliver;Daniel
tel;pager:816-305-6526
tel;cell:816-305-6526
tel;fax:to be determined
tel;home:not listed
tel;work:408-527-3466
x-mozilla-html:TRUE
url:www.cisco.com/nsmbu
org:.ou=NSMBU.ou=SPLOB.o=CISCO;Application Engineering
version:2.1
email;internet:daoliver@cisco.com
title:Directory Services Architect
adr;quoted-printable:;;170 W. Tasman=0D=0A(SJ15/2);San Jose;California;95034;USA
note;quoted-printable:*note:  E-Mail messages are composed with HTML formatting=0D=0Aenabled.  If you have trouble viewing messages, please open with =0D=0Aan HTML compatible message reader (such as Netscape=0D=0ACommunicator).=0D=0A=0D=0A
fn:Daniel A. Oliver
end:vcard

References:
- Re: grant / deny precedence indraft-ietf-ldapext-acl-model-04.txt
  - From: David Ward <DSWARD@novell.com>

Prev by Date: Re: grant / deny precedence indraft-ietf-ldapext-acl-model-04.txt
Next by Date: Re: grant / deny precedence indraft-ietf-ldapext-acl-model-04.txt
Index(es):
- Chronological
- Thread