David, Ellen,
Would the ACDF processing of the semantic content contained within the 'group' against the credentials presented be different between the two usages?
Could the processing be restrictive (exact match / equality) or permissive (intersection / subset) in either case?
Sandi Miklos
-----Original Message-----
From: David Chadwick [mailto:d.w.chadwick@salford.ac.uk]
Sent: Tuesday, October 19, 1999 9:26 AM
To: Ellen Stokes; ietf-ldapext@netscape.com
Subject: Re: Comments on aci-model-04
>
> In implementation, group and role tend to both be implemented as a group
> of names. However, a group is just a collection of names where the group
> name can be used to shorthand access to some object or attribute.
Ellen,
This is the bit I am objecting to, i.e. the attaching of two different
semantics to group - one where the name of the group is a
shorthand for the group e.g. o=ibm,c=us, - the other where the
name of the group points to a group of names object where the
enclosed names bear no relationship to the name of the group
e.g.cn=ldapext, dc=netscape, dc=com.
I therefore am proposing that you have two separate values for
dntype, to reflect the differences. Lets call them subtree and group.
David
***************************************************
David Chadwick
IS Institute, University of Salford, Salford M5 4WT
Tel +44 161 295 5351 Fax +44 161 745 8169
Mobile +44 790 167 0359
Email D.W.Chadwick@salford.ac.uk
Home Page http://www.salford.ac.uk/its024/chadwick.htm
Understanding X.500 http://www.salford.ac.uk/its024/X500.htm
X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm
Entrust key validation string MLJ9-DU5T-HV8J
***************************************************