[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: AuthzIDs or DNs, but not both

To: "Curtin, William" <curtinw@ftm.disa.mil>
Subject: RE: AuthzIDs or DNs, but not both
From: "Kurt D. Zeilenga" <kurt@boolean.net>
Date: Mon, 15 Nov 1999 11:56:01 -0800
Cc: "Curtin, William" <curtinw@ftm.disa.mil>, 'Harald Tveit Alvestrand' <Harald@Alvestrand.no>, JHodges@oblix.com, IETF LDAP Extensions WG <ietf-ldapext@netscape.com>, RL Bob Morgan <rlmorgan@cac.washington.edu>
In-reply-to: <92CDE837027BD3119C4200204804F0CCCBF155@rbmail101.chamb.dis a.mil>
Resent-date: Mon, 15 Nov 1999 11:57:47 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"AVHaqC.A.qcG.zWGM4"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

At 01:47 PM 11/15/99 -0500, Curtin, William wrote:
>Perhaps the use of the word INTERNAL was a poor choice. By internal I meant
>that the server would map the uAuthzId used for authentication into the
>distinguished name associated with the uAuthzId to support operational
>attributes, access control, etc. Is there a better way to phrase it?

The key issue I am raising is whether or not it makes sense to have more
than one protocol representation of authorization principals.  I believe
only one is necessary and that a second is an unnecessary complication.

The fact that a server can map the uAuthzId to a DN implies
that the client can map a uAuthzId to a DN.  Hence, there is
no need for the second protocol representation as the client can do
this mapping.  We just need to describe how the mapping should be
done to make it generally useful.

Kurt

----
Kurt D. Zeilenga		<kurt@boolean.net>
Net Boolean Incorporated	<http://www.boolean.net/>

Follow-Ups:
- Re: AuthzIDs or DNs, but not both
  - From: mcs@netscape.com (Mark C Smith)
- RE: AuthzIDs or DNs, but not both
  - From: Harald Tveit Alvestrand <Harald@Alvestrand.no>

Prev by Date: RE: AuthzIDs or DNs, but not both
Next by Date: RE: AuthzIDs or DNs, but not both
Index(es):
- Chronological
- Thread