RE: C LDAP API: security considerations

["Kurt D. Zeilenga" <Kurt@OpenLDAP.Org>]

At 11:03 PM 11/13/99 -0800, Paul Leach (Exchange) wrote:
>Suggest one plausible way in which it is possible to specify policy to an
>application to do anything with the flexibility you insist must be present.

I believe such should be considered outside the scope of the particular
API specifications.  I believe this issue should be addressed by
extensions to the protocol and/or information model.  These extensions
may mandate how API should chase referrals.  However, until such
extensions are drafted, I believe it inappropriate for the API
specification to mandate a policy not defined by the protocol and/or
information model.

>I.e., suppose the application is informed that it has been given a referral.
>When and how will it decide to chase it, and when not?

Currently unspecified.

>Applications have no idea how to answer the above question. Neither do
>users.

The current protocol/information model relies on implicit policy agreements between users and the directory.  The API implementation has no knowledge
of these policy agreeements. 

>If there were to be a mechanism to answer that question, and a way to
>specify the policy for answering it, they should be _below_ the level of the
>LDAP API, so that use of the mechanism and enforcement of the policy would
>_not_ depend on all the applications doing the right thing, since experience
>suggests that will never happen.

I believe that client APIs are the tools for client applications to
implement policy from their, the user's, perspective.  It my view
that APIs should provide control/flexibility over policy enforcement
to the application (and it to the user).

Kurt