[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Comments on the ACL Model draft

To: Ellen Stokes <stokes@austin.ibm.com>, Richard V Huber <rvh@qsun.mt.att.com>, blakley@dascom.com, djbyrne@us.ibm.com
Subject: RE: Comments on the ACL Model draft
From: Ryan Moats <jayhawk@att.com>
Date: Fri, 17 Mar 2000 08:15:20 -0600
Cc: ietf-ldapext@netscape.com
Importance: Normal
In-reply-to: <4.2.2.20000316161309.00a21220@popmail2.austin.ibm.com>
Resent-date: Fri, 17 Mar 2000 06:16:51 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <vDhVzB.A.ZmG.A5j04@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Ok, my $0.02, delineated with <rm>...</rm>
I've also cut whole swaths to save space...

| >Page 16:
| >
| >TECHNICAL:
| >
| >              Precedence of Privilege Attribute dnTypes within a scope
| >              (highest to lowest):
| >
| >                 - ipAddress
| >                   ^^^^^^^^^
| >
| >                 - access-id, kerberosID (both same precedence)
| >                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
| >
| >                 - group
| >
| >                 - role
| >
| >                 - subtree
| >
| >Requirement S6 of the requirements draft states:
| >
| >              S6.  Access policy SHOULD NOT be expressed in terms of
| >              attributes which are easily forged (e.g. IP addresses).
| >              There may be valid reasons for enabling access based on
| >              attributes that are easily forged and the
| >              behavior/implications of doing that should be documented.
| >
| >Isn't use of ipAddress flaunting this?
| 
| (EJS)  Not really.  The requirements document was put in place to serve
| as a guideline for writing the model draft, not as an explicit 
| 'must follow' for writing the draft.  So some things in the requirements
| are not in the draft and vice-versa.  This was explained at previous
| ldapext meeting.  Just because ipAddress is in the draft and an
| implementation provides it, doesn't mean that the deployment of the
| server needs to use it.

Hang on.  I don't buy this (and I don't remember that particular LDAPEXT
meeting, but I might have been someplace else).  As I read SHOULD NOT, we
need a good reason for using ipAddress.  I don't see any documentation
of why ipAddress is supported in this draft.  At a bare minimum, we should
document (a) why ipAddress is being proposed and (b) make a specific
"Security Consideration" note about ipAddress being easily forgable.
I'd really like for support of ipAddress to be a MAY (with everything else
in the list a MUST), since this document is standards track.

Ryan

References:
- Re: Comments on the ACL Model draft
  - From: Ellen Stokes <stokes@austin.ibm.com>

Prev by Date: Re: ldapACI: collection and attribute list
Next by Date: RE: Comments on the ACL Model draft
Index(es):
- Chronological
- Thread