Re: AuthzIDs or DNs, but not both

[Harald Tveit Alvestrand <Harald@Alvestrand.no>]

At 11:30 14.11.99 -0800, Kurt D. Zeilenga wrote:
> It appears to me that the authzIds-are-not-necessarily-DNs
> notion will cause a ripple of change through the protocol and
> information model.  The introduction of authzid
> representation [AuthMeth] will lead to creatorsAuthzid,
> modifiersAuthzid, memberAuthzid, and many other use of DNs
> to be replaced with something that can contain both an
> authzId.  I believe the addition of authzIds will
> unnecessarily complicate the protocol and information model.

When we discussed this in Washington 2 years ago, I think we had an 
implicit assumption that the authzId in the SASL exchange, which may, but 
need not, be a DN, would be *mapped to* a DN if required for internal purposes.
The purpose would be that the DN need not be maintained anywhere seen by 
the user.

I don't remember an argument that the idea "an identity is a DN" should be 
abandoned.
In other words, I agree with Kurt.

                    Harald

--
Harald Tveit Alvestrand, Maxware, Norway
Harald.Alvestrand@maxware.no