[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: subjects in LDAP ACMs

To: robert byrne <robert.byrne@Sun.COM>
Subject: Re: subjects in LDAP ACMs
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Mon, 23 Apr 2001 12:32:40 -0700
Cc: ietf-ldapext@netscape.com
In-reply-to: <3AE44238.513AE7E9@Sun.COM>
References: <5.0.2.1.0.20010411183522.00aa51f0@127.0.0.1> <5.0.2.1.0.20010412110700.00b10c60@127.0.0.1>

It's my personal opinion that ACMs should be based upon
authorization identities and that controls based upon
other factors (authentication method (or level), IP
address, DNS name, etc) should be left to other administrative
mechanisms (such as those upon within the authentication
subsystem and those external to LDAP (topology enforcement
systems)).

The primary reason is simplicity.  While an extensible
ACM which supports multiple orthogonal access control factors
would be more flexible, it is also quite complex (to design,
implement, and use).

Hence, I think we should do as RFC 2820 suggests [with clarification]:
   U1.  When in doubt, simpler is better, both at the interface and in
   the implementation.

   U2.  Subjects MUST be drawn from the "natural" LDAP namespace; they
   should be DNs [or RFC2829 authzIds].

The suggested "non-factor subjects" are not drawn from the "natural"
LDAP name space.  They add unnecessary complexity to the interface
and its implementations.

Kurt

Follow-Ups:
- Re: subjects in LDAP ACMs
  - From: robert byrne <robert.byrne@Sun.COM>

References:
- subjects in LDAP ACMs
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: subjects in LDAP ACMs
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: subjects in LDAP ACMs
  - From: robert byrne <robert.byrne@Sun.COM>

Prev by Date: Last call on 'Named Subordinate References in LDAP Directories'
Next by Date: Make Money Selling a Monthly Newsletter!
Index(es):
- Chronological
- Thread