Re: subjects in LDAP ACMs

[robert byrne <robert.byrne@Sun.COM>]

"Kurt D. Zeilenga" wrote:
> 
> At 06:00 AM 4/25/01, robert byrne wrote:
> >The only explicit reference to these "things" I can find in 2820
> >actually refers to them as the "Access context" and doesn't have
> >anything else to say about them:
> 
> As I noted previously, RFC 2820's use of the terminology is a bit
> inexact.  However, I believe the intent of the stated requirements is
> clear enough.  I won't hair split over them.
> 
> I just reiterate my basic position:
> 
> Support for multiple orthogonal subject factors is a rat hole
>   (consider precedence and "effective rights" issues).

If factors complicate or clash with other parts of the model then that
could be grounds for dropping them from the model.  I wouldn't
anticipate a problem for precedence--I think you could define away any
problems there.  The impact on getEffective rights is more serious--I'm
planning to have a look at getEffectiveRights...

Rob.

> 
> Support for a single subject factor which includes elements
>   not drawn from the "natural" LDAP name space has limited use
>   subject to significant security considerations.
> 
> The need for non-"natural" subject factors could be addressed
> via other means.
> 
> For these and other reasons, I believe it best for the LDAP ACM
> not support multiple orthogonal subject factors nor support
> a single subject factor which includes factors not drawn from
> the "natural" LDAP name space.
> 
> Lastly, I believe we need to keep the LDAP ACM simple.  Not
> just for security ask, but for sake of timely completion of this
> work.
> 
> Kurt