[Date Prev][Date Next] [Chronological] [Thread] [Top]

Comments on Access Control Model - authentication levels

To: ietf-ldapext@netscape.com
Subject: Comments on Access Control Model - authentication levels
From: rvh@qsun.mt.att.com (Richard V Huber)
Date: Thu, 29 Mar 2001 13:56:14 -0500

The BNF allows the authentication level to be omitted from ACI.  It
also allows specification of "none" and "any".

Section 4.2.3 explains the difference between omitting the
specification and using "any", but it does not explain "none".  I
suggest "none" be removed from the BNF.

Section 4.2.3 also says "For permission to be granted, the subject must
have been authenticated to at least the level specified, but that if
the right is a deny, then everyone is denied access unless they have
been authenticated to at least the level specified in authnLevel."

I think we will have a lot of problems trying to agree on a
well-ordering of authnLevels.  I suggest we remove the parts about "at
least the level specified".  I also feel the part about "... then
everyone is denied access unless ..." is unclear.

Can we just say "For permission to be granted, the subject must have
been authenticated to the level specified."

Rick Huber

Prev by Date: RE: Access Control, Administrative Areas, Replication and Distribution
Next by Date: RE: WG last call on "duplicate entries"
Index(es):
- Chronological
- Thread