Re: IP Address in the ACM (Was: Comments on AccessControlModel - BNF)

[robert byrne <robert.byrne@Sun.COM>]

"Kurt D. Zeilenga" wrote:
> 
> At 04:17 PM 4/5/01 +0200, robert byrne wrote:
> >I don't think we should put optional things in the spec--it will create
> >interoperability problems.
> 
> Interoperability at what level?  There is nothing in this
> specification or LDAP that requires two independently
> developed implementations to act in the same manner given the
> same data.  All that LDAP provides is that the client and
> server understand what each said; that is "protocol
> interoperbility" not "application interoperbility."  LDAP
> does not require for implementations to be equally capable.
> 
> A case in point is that user "foo" in realm "EXAMPLE"
> (via SASL/DIGEST-MD5) might have the implicit authzid
> of "u:foo" on one server and "dn:uid=foo,dc=example,dc=com"
> on one server (even though both hold the copies of the same
> naming contexts and share the same REALM information).
> There are obviously significant implications to this at
> the application level, but not at the protocol level.
> 

Well, there is certainly lots of stuff that we have not pinned down in
this draft.  I hope that that is because they are hard or beyond the
scope of the draft.  However, not specifying something as optional is
definitely within our control and will avoid the situation where one
server implements the ip subject and another server does not--simple as
that.

Rob.

> Please note there are very few MUSTs (or SHALLs) in the
> ACM technical specification.
> 
> >I don't see why you are particularly down on ip address subjects,
> >but a subject with simple authentication doesn't seem to bother you.
> 
> All of the current authnLevel stuff concerns me greatly.  I
> have posted on this separately.
>         Kurt