Re: ACL draft: specify credentials (and Weltman proxy draft)

[Rob Byrne - Sun Microsystems <rbyrne@france.Sun.COM>]

Ellen,

To help with this could you explain what is meant by a "privilege attribute
certificate" ?

If the role of the specify-credentials control is to say "here is some
other data", without specifying what it is then is it really adding value
?  For example, the draft also gives the example of groups/roles associated
with the bind DN in the credentials field.  We have the DN Types ("group"
and "role") already mentioned in the draft  (6.2.2) so we could specify how
to list these in the control if we wanted to.

Rob.

Ellen Stokes wrote:

> The 2 drafts are similar but different.  The Weltman draft
> specifies the proxy as a LDAPDN.  The access control model draft
> talks about the ability to send only the credential, e.g. privilege
> certificate, not the ability to say use this other DN.  What the
> server does with credential (e.g. trust it, validate it, reject it)
> is server defined (there's a section in the model that addresses
> this point.
>
> The Weltman draft is currently an individual submission.  So the
> question is should we combine the 2 drafts, should we remove the
> specify credentials - perhaps moving it to the Weltman draft, or
> something else or some conbination?
>
> Thoughts?
>
> Ellen
>
> At 11:45 AM 10/28/1999 +0200, Rob Byrne - Sun Microsystems wrote:
> >
> >Hi Debbie,
> >
> >A couple of things  on the "specify credentials" control.
> >
> >1. There is (was ?) a draft from Rob Weltman for what he calls a "proxy
> >control" (draft-weltman-ldapv3-proxy-02.txt).  There seems to be some
> >overlap here.
> >
> >2. How will the  access control model determine whether a user has the
> >right to proxy or not ie. use the "specify credentials control" ?
> >
> >Rob.
> >--iPlanet Directory Group
> >