[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Considering Attribute Subtypes during ACL evaluation

To: "'Kurt D. Zeilenga'" <Kurt@OpenLDAP.org>, Jim Sermersheim <JIMSE@novell.com>
Subject: RE: Considering Attribute Subtypes during ACL evaluation
From: "Miklos, Sue A." <samiklo@missi.ncsc.mil>
Date: Mon, 2 Oct 2000 08:25:22 -0400
Cc: ietf-ldapext@netscape.com, Duane Buss <DBuss@novell.com>

Title: RE: Considering Attribute Subtypes during ACL evaluation

I have an attribute type "userCertificate" and have many values (PKI A certificate; PKI B certificate, etc.)

My requirement is to constrain the management of that attribute value to the CA or appropriate named authority for that attribute value.

I would not want to allow CA for PKI A to have all privileges wrt userCertificate for PKI B.

as I read your proposal, I don't interpret this as supporting my requirement.

is this correct?

Sandi

-----Original Message-----
From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
Sent: Friday, September 29, 2000 5:53 PM
To: Jim Sermersheim
Cc: ietf-ldapext@netscape.com; Duane Buss
Subject: Re: Considering Attribute Subtypes during ACL evaluation

At 05:37 PM 9/28/00 -0600, Jim Sermersheim wrote:
>Are attribute subtypes considered when calculating access control information? In other words, if I have read permission to the "name" attribute, does that automatically give me read permission to sn, cn, givenName, etc?

>
>I can't find any coverage of this in X.511 or the latest ACL draft. Due to the lack of anyone talking about it, my assumption is that, no, permissions do not flow down attribute inheritance chains, they must be explicitly stated for each attribute.

>
>Of course with LDAP, this brings up the question of whether they apply to attribute type options. It seems to make sense, under most circumstances, to apply them in this case. Oh, what a world - what a world.

When I asked this question previously, the answer was "no, ACLs
apply only to the specified type, not subtypes".

I have argued that each ACL should be applied subtypes. One
issue in adding such is which ACL takes precedence. This is
complicated due to multiple inheritance due to attribute
description options.

One possible precedence:
        type;a;b;c
        type
        supertype;a;b;c
        supertype

Of course, if one of the options was "binary", it sure would be
nice to allow
        type;a;binary;c
        type;a;c
        type
        supertype;a;binary;c
        supertype;a;c
        supertype

But this seems overly complicated. An alternative would be to
say that ACLs apply to attribute types, not attribute descriptions.
So, access to "type;a;b;c" would be governed by:
type
supertype

I prefer this.

Kurt

*****************************************************************************
This confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.
******************************************************************************

Prev by Date: Re: Considering Attribute Subtypes during ACL evaluation
Next by Date: comments on draft-ietf-ldapext-ldap-taxonomy-03.txt
Index(es):
- Chronological
- Thread