Re: IP Address in the ACM (Was: Comments onAccessControlModel- BNF)

[robert byrne <robert.byrne@Sun.COM>]

Kurt/Paul,

Fair enough...

To restate my own position: "security" depends on the environment--there
will be environments where things like public access, simple
authentication and ip address based access controls will be both
acceptable and desirable.  Removing such things from the ACM is a
disservice to users in those environments and making them optional
introduces an unecessary "point of non-interoperability" to the model.

Rob.

Paul Leach wrote:
> 
> I agree with Kurt. There is no reason why such a feature needs to be
> promulgated today -- many stronger mechanisms are readily available.
> 
> > -----Original Message-----
> > From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
> > Sent: Monday, April 09, 2001 10:22 AM
> > To: robert byrne
> > Cc: ietf-ldapext@netscape.com
> > Subject: Re: IP Address in the ACM (Was: Comments
> > onAccessControlModel- BNF)
> >
> >
> > Robert,
> >
> > I think we're going to have to agree to disagree on this one.
> >
> > To ensure that is no confusion as to my position, I'll reiterate it.
> >
> > I object to a MUST (or SHOULD) for the ipAddress and DNS name
> > based subjects as I believe it inappropriate to mandate (or
> > recommend) the implementation of easily spoofed subjects. It
> > my opinion that these subjects should either be completely
> > removed (my preference) or made OPTIONAL. If made OPTIONAL,
> > the document should contain a detailed explanation of the
> > security considerations associated with the use of these subject.
> >
> > Kurt
> >
> >