[Date Prev][Date Next] [Chronological] [Thread] [Top]

IP/DNS subjects - draft-ietf-ldapext-acl-model-08.txt

To: Ellen Stokes <stokes@austin.ibm.com>
Subject: IP/DNS subjects - draft-ietf-ldapext-acl-model-08.txt
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Mon, 02 Jul 2001 19:29:42 -0700
Cc: ietf-ldapext@netscape.com
In-reply-to: <5.0.2.1.0.20010629105210.00a63688@popmail2.austin.ibm.com>

As we've gone around a couple of times on this issue previously,
I will just note my continued objection to the inclusion of
IP address and DNS based subjects as they are easily spoofed.
I especially dislike that they are NOT RECOMMENDED but MUST
be implemented.  I also note that their semantics require
numerous special cases such as abnormal precedence (subjects
w/ ranges, wildcards, and otherwise matching multiple entities
are less specific than authzId based subjects) and grant/deny
semantics.

As the specification allows extension of subject forms, I recommend
that IP address and DNS based subjects be introduce in a document
extending the LDAP ACM specification.

Kurt

Prev by Date: I-D ACTION:draft-ietf-ldapext-acl-model-08.txt
Next by Date: authLevel and related security considerations - draft-ietf-ldapext-acl-model-08.txt
Index(es):
- Chronological
- Thread