Thank you for the reply.
One of the thoughts we've had (maybe a dangerous thing) is to use the subtyping capability and put some form of tag information into the attribute type, indicating that it is of 'type RSA 2048' or 'type DSA 1024', etc. and then try to apply ACIs against the type.
Seems like a particularly burdensome way to present a repository that can be managed by differing CA domains.
any alternatives welcomed.
regards,
Sandi
-----Original Message-----
From: hahnt@us.ibm.com [mailto:hahnt@us.ibm.com]
Sent: Monday, October 02, 2000 8:36 PM
To: ietf-ldapext@netscape.com
Subject: RE: Considering Attribute Subtypes during ACL evaluation
Sandi,
As I understand the LDAP ACL draft, access control is not applied to
individual values within an attribute within an entry. Access control
applies to all values for the attribute within the entry. Thus, I believe
you are correct.
Regards,
Tim Hahn
Internet: hahnt@us.ibm.com
Internal: Timothy Hahn/Endicott/IBM@IBMUS or IBMUSM00(HAHNT)
phone: 607.752.6388 tie-line: 8/852.6388
fax: 607.752.3681
"Miklos, Sue A." <samiklo@missi.ncsc.mil> on 10/02/2000 08:25:22 AM
To: "'Kurt D. Zeilenga'" <Kurt@OpenLDAP.org>, Jim Sermersheim
<JIMSE@novell.com>
cc: ietf-ldapext@netscape.com, Duane Buss <DBuss@novell.com>
Subject: RE: Considering Attribute Subtypes during ACL evaluation
I have an attribute type "userCertificate" and have many values (PKI A
certificate; PKI B certificate, etc.)
My requirement is to constrain the management of that attribute value to
the CA or appropriate named authority for that attribute value.
I would not want to allow CA for PKI A to have all privileges wrt
userCertificate for PKI B.
as I read your proposal, I don't interpret this as supporting my
requirement.
is this correct?
Sandi
-----Original Message-----
From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
Sent: Friday, September 29, 2000 5:53 PM
To: Jim Sermersheim
Cc: ietf-ldapext@netscape.com; Duane Buss
Subject: Re: Considering Attribute Subtypes during ACL evaluation
At 05:37 PM 9/28/00 -0600, Jim Sermersheim wrote:
>Are attribute subtypes considered when calculating access control
information? In other words, if I have read permission to the "name"
attribute, does that automatically give me read permission to sn, cn,
givenName, etc?
>
>I can't find any coverage of this in X.511 or the latest ACL draft. Due to
the lack of anyone talking about it, my assumption is that, no, permissions
do not flow down attribute inheritance chains, they must be explicitly
stated for each attribute.
>
>Of course with LDAP, this brings up the question of whether they apply to
attribute type options. It seems to make sense, under most circumstances,
to apply them in this case. Oh, what a world - what a world.
When I asked this question previously, the answer was "no, ACLs
apply only to the specified type, not subtypes".
I have argued that each ACL should be applied subtypes. One
issue in adding such is which ACL takes precedence. This is
complicated due to multiple inheritance due to attribute
description options.
One possible precedence:
type;a;b;c
type
supertype;a;b;c
supertype
Of course, if one of the options was "binary", it sure would be
nice to allow
type;a;binary;c
type;a;c
type
supertype;a;binary;c
supertype;a;c
supertype
But this seems overly complicated. An alternative would be to
say that ACLs apply to attribute types, not attribute descriptions.
So, access to "type;a;b;c" would be governed by:
type
supertype
I prefer this.
Kurt
*****************************************************************************
This confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.
******************************************************************************