[Date Prev][Date Next] [Chronological] [Thread] [Top]

Comments on Access Control Model - BNF

To: ietf-ldapext@netscape.com
Subject: Comments on Access Control Model - BNF
From: rvh@qsun.mt.att.com (Richard V Huber)
Date: Thu, 29 Mar 2001 18:28:49 -0500

Per RFC 2234, a "*" used to indicate indefinite repetition comes before
the affected term, not after.  So it should be:

  permissions = [ permission *( "," permission )]

and

  attr = "[all]" / "[entry]" / ( attribute *( "," attribute ))

The BNF for "subject" seems to say that

  authnLevel:simple:ipAddress:127.0.0.1

is a legal subject.  Is that really what was intended?  It's not clear
to me what it means to have an IP address (or a wildcarded domain name)
use a particular authentication mechanism.  And I'm not really sure
what it means to have an authentication mechanism associated with
"public" (if it's public, why would we care about authnLevel?).

So I suggest:

  subject = ([ "authnLevel:" authnLevel ":" ]
                         ( "authzID-" authzID ) /
                         ( "role:" dn ) /
                         ( "group:" dn ) /
                         ( "subtree:" dn ) /
                         "this:" ) /
            ( "ipAddress:" ipAddress ) /
            "public:"

Note that the ASN.1 also allows authnLevel to be specified for
ipAddress and public, so if the above change is accepted the ASN.1
needs to change as well.

The "wildcard domain name" allowed as an ipAddress is a bit vague.  We
could fix it with the BNF below (this version allows wildcarding of
components as opposed to parts of components, and only the least
significant components can be wildcarded):

  ipAddress = IPv6address /
              [ "*." ] domainname

  domainname = domaincomponent *( "." domaincomponent )

  domaincomponent = ALPHA [ *61( ALPHA / DIGIT / "-" ) ( ALPHA / DIGIT )]

Or we could merge the last two suggestions and stop hiding domain names
as IP addresses to get:

  subject = ([ "authnLevel:" authnLevel ":" ]
                         ( "authzID-" authzID ) /
                         ( "role:" dn ) /
                         ( "group:" dn ) /
                         ( "subtree:" dn ) /
                         "this:" ) /
            ( "ipAddress:" ipAddress ) /
            ( "dns:" [ "*." ] domainname ) /
            "public:"

  ipAddress = IPv6address

  domainname = domaincomponent *( "." domaincomponent )

  domaincomponent = ALPHA [ *61( ALPHA / DIGIT / "-" ) ( ALPHA / DIGIT )]

While the BNF allows use of wildcarded domain names as values of
"ipAddress", I am not sure that the ASN.1 agrees (I'm not sure where
the ASN.1 definition of IPAddress comes from and how it is defined).

Rick Huber

Follow-Ups:
- IP Address in the ACM (Was: Comments on Access Control Model - BNF)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: RE: LDAP/X.500 location proposal (was: DN -> DNS: X.500 group's p roposal for using DNS to locate LDAP servers)
Next by Date: IP Address in the ACM (Was: Comments on Access Control Model - BNF)
Index(es):
- Chronological
- Thread