Re: subjects in LDAP ACMs

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 06:00 AM 4/25/01, robert byrne wrote:
>The only explicit reference to these "things" I can find in 2820
>actually refers to them as the "Access context" and doesn't have
>anything else to say about them:

As I noted previously, RFC 2820's use of the terminology is a bit
inexact.  However, I believe the intent of the stated requirements is
clear enough.  I won't hair split over them.

I just reiterate my basic position:

Support for multiple orthogonal subject factors is a rat hole
  (consider precedence and "effective rights" issues).

Support for a single subject factor which includes elements
  not drawn from the "natural" LDAP name space has limited use
  subject to significant security considerations.

The need for non-"natural" subject factors could be addressed
via other means.

For these and other reasons, I believe it best for the LDAP ACM
not support multiple orthogonal subject factors nor support
a single subject factor which includes factors not drawn from
the "natural" LDAP name space.

Lastly, I believe we need to keep the LDAP ACM simple.  Not
just for security ask, but for sake of timely completion of this
work.

Kurt