[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: increasing complexity - draft-ietf-ldapext-acl-model-08.txt

To: ietf-ldapext@netscape.com
Subject: Re: increasing complexity - draft-ietf-ldapext-acl-model-08.txt
From: Mark Davidson <markd@pwd.hp.com>
Date: Fri, 06 Jul 2001 11:09:14 +0100
Organization: Hewlett-Packard
References: <5.0.2.1.0.20010629105210.00a63688@popmail2.austin.ibm.com> <5.1.0.14.0.20010702195623.00b17448@127.0.0.1> <H00002a208d14436.0994363709.hpopd.pwd.hp.com@MHS>

> > - remove authnLevel.  Don't add integrity/confidentiality
> >   factors.
> 
> Having read the draft, either the authnLevel should be
> removed or just auth mechanisms listed.  The current proposed
> bucketization of authnLevel is a receipe for interoperability
> nightmares.
> 

I disagree that this is an interop nightmare. When an admin
is constructing an ACI using an authnLevel, they are interested
in the probability that an authenticated user is who they claim
to be.
Two systems may allow different mechanisms, but the mechanisms
can be mapped onto the different strengths, so I think it would
aid interop.
The strength level 'buckets' also help when a mechanism is depricated
for some reason (eg Cram-MD5 would not have been categorized as
weak a few years ago), or when a new mechanism is added to the server.

Mark

Follow-Ups:
- Re: increasing complexity - draft-ietf-ldapext-acl-model-08.txt
  - From: Ryan Moats <rmoats@lemurnetworks.net>

References:
- increasing complexity - draft-ietf-ldapext-acl-model-08.txt
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: increasing complexity - draft-ietf-ldapext-acl-model-08.txt
Next by Date: ACM permission
Index(es):
- Chronological
- Thread