Re: Standards and APIs (C LDAP API: security considerations)

[mcs@netscape.com (Mark C Smith)]

Graham Klyne wrote:
> 
> >> One man's application is another man's vendor.
> >>
> >> The classical reason for standard APIs is so that you can have one
> >> application running on multiple platforms, or multiple OS
> >> versions, and have the results of that application be the same.
> >
> >I don't disagree as far as it goes -- I'm just adding "results of that
> >application be the same when the configured policies are the same".
> 
> I'd suggest that to achieve this in a _standard_ API, one would also need
> to specify the policy configuration options that must be provided, and
> their effect on the behaviour of an API implementation, and possibly even
> the mechanisms for configuring policies.  Without this, applications that
> wish to depend on some particular (policy-definied) behaviour are left out
> in the cold;  or, they use an API subset for which full semantics are
> defined, which brings us back to Harald's position.
> 
> I suspect that policy configuration could turn out to be a rathole.

I strongly agree.  My position is that the C LDAP API standard which we
have been trying to reach consensus on for some time should not attempt
to address policy for chasing of referrals.  I think this aligns pretty
well with Harald's position as well.  If there is a lot of value in
providing policy-based decision making on top of or beneath the C LDAP
API, that should be tackled as an optional extension to the API.  I
would also argue that any such extension would be experimental at this
time because we have very little (no?) operational experience with
application neutral policy based referral chasing in LDAP.

-- 
Mark Smith
iPlanet Directory Architect / Sun-Netscape Alliance
My words are my own, not my employer's.   Got LDAP?