[Date Prev][Date Next] [Chronological] [Thread] [Top]

IP Address in the ACM (Was: Comments on Access Control Model - BNF)

To: ietf-ldapext@netscape.com
Subject: IP Address in the ACM (Was: Comments on Access Control Model - BNF)
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Thu, 29 Mar 2001 16:56:59 -0800
In-reply-to: <200103292328.SAA21480@qsun.mt.att.com>

At 06:28 PM 3/29/01 -0500, Richard V Huber wrote:
>is a legal subject.  Is that really what was intended?  It's not clear
>to me what it means to have an IP address (or a wildcarded domain name)
>use a particular authentication mechanism.

I note the inclusion of IP address is counter to
RFC2820 requirement:

   S6.  Access policy SHOULD NOT be expressed in terms of attributes
   which are easily forged (e.g. IP addresses).  There may be valid
   reasons for enabling access based on attributes that are easily
   forged and the behavior/implications of doing that should be
   documented.

I couldn't find any documentation, in particular Security
Considerations, detailing the behavior/implications for doing that.

I'm also clueless as to why an easily spoofed subject would
have the highest precedence.

References:
- Comments on Access Control Model - BNF
  - From: rvh@qsun.mt.att.com (Richard V Huber)

Prev by Date: Comments on Access Control Model - BNF
Next by Date: Making Serious Money Has Never Been This Easy! [jyhry]
Index(es):
- Chronological
- Thread