[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Standards and APIs (C LDAP API: security considerations)

To: "Paul Leach (Exchange)" <paulle@Exchange.Microsoft.com>
Subject: RE: Standards and APIs (C LDAP API: security considerations)
From: Graham Klyne <GK@dial.pipex.com>
Date: Thu, 18 Nov 1999 13:06:59 +0000
Cc: ietf-ldapext@netscape.com
Resent-date: Thu, 18 Nov 1999 05:10:22 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"d9VFQD.A.hp.tq_M4"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Paul,

If you are talking about policies whose effect is to allow/disallow an
action, then I agree.

OTOH, policies that result in different behaviours for a given operation
(which I understood --maybe incorrectly-- to be the case with referrals),
then I think that is a different kind of consideration.

#g
--

At 11:14 17/11/99 -0800, Paul Leach (Exchange) wrote:
>> Without this, 
>> applications that
>> wish to depend on some particular (policy-definied) behaviour 
>> are left out
>> in the cold;  or, they use an API subset for which full semantics are
>> defined, which brings us back to Harald's position.
>
>Applications shouldn't need to depend on certain policies being configured.
>"Policy" is not the same as configuration "options". 
>What applications will have to do is to be able to cope with being told an
>action is denied by policy. Just like they have to cope with authentication
>failures or "access denied".

------------
Graham Klyne
(GK@ACM.ORG)

Prev by Date: Authz/Authc state upon start TLS
Next by Date: Re: FW: I-D ACTION:draft-armijo-ldap-treedelete-02.txt
Index(es):
- Chronological
- Thread