Re: IP Address in the ACM (Was: Comments on Access ControlModel - BNF)

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 04:17 PM 4/5/01 +0200, robert byrne wrote:
>I don't think we should put optional things in the spec--it will create
>interoperability problems.

Interoperability at what level?  There is nothing in this
specification or LDAP that requires two independently
developed implementations to act in the same manner given the
same data.  All that LDAP provides is that the client and
server understand what each said; that is "protocol
interoperbility" not "application interoperbility."  LDAP
does not require for implementations to be equally capable.

A case in point is that user "foo" in realm "EXAMPLE"
(via SASL/DIGEST-MD5) might have the implicit authzid
of "u:foo" on one server and "dn:uid=foo,dc=example,dc=com"
on one server (even though both hold the copies of the same
naming contexts and share the same REALM information).
There are obviously significant implications to this at
the application level, but not at the protocol level.

Please note there are very few MUSTs (or SHALLs) in the
ACM technical specification.

>I don't see why you are particularly down on ip address subjects,
>but a subject with simple authentication doesn't seem to bother you.

All of the current authnLevel stuff concerns me greatly.  I
have posted on this separately.
        Kurt