[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: IP Address in the ACM (Was: Comments onAccessControlModel- BNF)

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: IP Address in the ACM (Was: Comments onAccessControlModel- BNF)
From: robert byrne <robert.byrne@Sun.COM>
Date: Fri, 06 Apr 2001 17:02:14 +0200
Cc: Paul Leach <paulle@Exchange.Microsoft.com>, ietf-ldapext@netscape.com
Organization: Sun Microsystems
References: <5.0.2.1.0.20010404130816.00b02a10@127.0.0.1> <5.0.2.1.0.20010405074208.01f6e7a0@127.0.0.1> <5.0.2.1.0.20010405083950.01f6a670@127.0.0.1> <5.0.2.1.0.20010406065205.01a4f200@127.0.0.1>

"Kurt D. Zeilenga" wrote:
> 
> At 03:22 PM 4/6/01 +0200, robert byrne wrote:
> >Mmmm...will the next version of your product not allow the ability to
> >grant public access, becuase that's "insecure" ?
> 
> With "public", we're going to disable it by default and require
> the administrator take action to enable it when desired.
> 

Do you mean that this action is external to your ACM...ie. it's not that
he just has to create an aci granting public access but rather he has to
turn on the ability to create such acis, external to the aci system ?

> >I suspect not--because
> >in some situations that's a useful policy, explicitly set by the
> >administrator.
> 
> If explicitly set by the administrator, yes.
> 
> >It seems to me that the same is probably true of an
> >ip-address subject and simple authentication.
> 
> If you are not on the Internet, maybe.  But on the
> Internet, use of simple or IP-addressed authentication
> is not appropriate and we should require implementations
> to such and, in fact, we should recommend against (i.e. with
> a SHOULD NOT) support such in our security considerations.
> 

Well depends what you mean by "the Internet"--is my corporate intranet
part of the Internet ?  There's a boundary there, but they are connected
and they all use IP.  The intranet though is generally a less hostile
place then the external Internet.  LDAP directories are fairly popularly
deployed in intranets and it seems to me that if one ACM can accomodate
both intranets and the Internet at large then that's a good thing. 
Developing a different ACM for every type of environment you can think
of doesn't sound like a great plan to me.

Rob.

> Kurt

References:
- RE: IP Address in the ACM (Was: Comments on Access Control Model - BNF)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: IP Address in the ACM (Was: Comments on Access ControlModel - BNF)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: IP Address in the ACM (Was: Comments on AccessControlModel - BNF)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: IP Address in the ACM (Was: Comments on AccessControlModel- BNF)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: createSaslClient by the Java LDAP API
Next by Date: FW: Request for LDAP
Index(es):
- Chronological
- Thread