[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: subjects in LDAP ACMs

To: robert byrne <robert.byrne@Sun.COM>
Subject: Re: subjects in LDAP ACMs
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Tue, 24 Apr 2001 13:29:07 -0700
Cc: ietf-ldapext@netscape.com
In-reply-to: <3AE59E43.B399AF4@Sun.COM>
References: <5.0.2.1.0.20010411183522.00aa51f0@127.0.0.1> <5.0.2.1.0.20010412110700.00b10c60@127.0.0.1> <5.1.0.14.0.20010423120707.00a93c60@127.0.0.1>

At 08:39 AM 4/24/01, robert byrne wrote:
>I would say that those policy things that belong in the authentication
>subsystem are those things which are likely to be required to be a
>function of the authorization id only.

No.  The authentication subsystem is a function of credentials
and other information which results in the establishment of an
authorization identity.  This authorization identity is then
granted access to information by the ACM. While the ACM could
base access upon information by other factors, such as which
mechanism was used and/or the presence of security layers, there
are numerous security considerations the user must be made aware
of.

I see a few major considerations.  In particular, an attack upon
a weak mechanism could be used to gain access requiring strong
authentication.  That is, a password exposed by use of simple bind
could be used to gain access via DIGEST-MD5.

I also note that the ACM does nothing to prevent a client to
prevent a client from exposing data to attackers.  It only prevents
the server from exposing data.  Policy meant to protect the
exposure of sensitive information must encompass the client as
well.  While the authentication/authorization system cannot prevent
clients which access the directory anonymously from exposing such
information, the authentication/authorization can and SHOULD
prevent authorized clients from accessing the directory (as a whole)
without appropriate authorization.

>Finally what we are discussing here are "factors" not "subjects" and so
>I don't think they are ruled out by U2.

Authorization identities are one type of factors.  There are
numerous types of factors which could be used to make access
control decisions.  I believe RFC 2820 and this I-D uses the
term subject to refer to any kind of factor derived from or
provided from the client's LDAP association.
  "Security subject - An entity in an active role to which a
  security policy applies." [RFC2820]

  "This policy data describes security-relevant characteristics
  of the requesting subject and the rules which govern the use
  of the target object." [I-D]

I assume U2 applies not only to authorization identities but
all factors associated with the subject.  All of the factors
you suggest relate directly to the entity which the security
policy applies and hence are "subject factors" or "subjects".

Kurt

Follow-Ups:
- Re: subjects in LDAP ACMs
  - From: robert byrne <robert.byrne@Sun.COM>

References:
- subjects in LDAP ACMs
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: subjects in LDAP ACMs
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: subjects in LDAP ACMs
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: subjects in LDAP ACMs
  - From: robert byrne <robert.byrne@Sun.COM>

Prev by Date: PricewaterhouseCoopers is looking for a LDAP Practice Leader for it's E-biz practice
Next by Date: Re: subjects in LDAP ACMs
Index(es):
- Chronological
- Thread