[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] information on access control

To: robert.byrne@sun.com
Subject: Re: [ldapext] information on access control
From: George Robert Blakley III <blakley@us.ibm.com>
Date: Thu, 21 Nov 2002 11:49:26 -0600
Cc: Shari Galitzer <SGalitzer@cygnacom.com>, "'ldapext@ietf.org'" <ldapext@ietf.org>
Importance: Normal




Shari,

Here's the complete list of access control standards I've personally been
involved in.

Open Group aznAPI (you can view HTML free but have to pay for .PDF):

      http://www.opengroup.org/publications/catalog/c908.htm

OMG CORBAsecurity (contains access control interfaces; for a better
description buy my book "CORBA Security"):

      http://www.omg.org/cgi-bin/doc?formal/2002-03-11

OMG RAD (Resource Access Decision)

      http://www.omg.org/cgi-bin/doc?formal/2001-04-01

OASIS SAML (Security Assertions Markup Language); this isn't an access
control specification per se but allows
an authorization decision service to consume standard subject attribute
descriptions and produce standard tokens
stating its decision:

      http://www.oasis-open.org/committees/security/

=======================

The Grand-daddy of access control specifications is the ISO Access Control
Framework; no one with an interest
in access control should be without a copy of this (even though you have to
pay for it):


http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=18199&ICS1=35&ICS2=100&ICS3=1

You may also want to look at X.500 Access Control (though I think this
model has lots of problems; I can elaborate
off-list if you're interested); David Chadwick is my favorite source of
information on this topic


http://www.isi.salford.ac.uk/staff/dwc/Version.Web/Chapter.8/Chapter8a.htm

The actual specification is here:


http://www.itu.int/rec/recommendation.asp?type=items&lang=e&parent=T-REC-X.500-200102-I

Novell's NDS has an extremely powerful and flexible access control model;
Ed Reed (who often contributes
to this list) is a good source of information about it; I don't have a link
to a good description online.

Finally, you might want to take a look at the WebDAV access control model:

      http://www.ietf.org/internet-drafts/draft-ietf-webdav-acl-09.txt


--bob

Bob Blakley (email: blakley@us.ibm.com   phone: +1 512 286-2240  fax: +1
512 286-2057)
Chief Scientist, Security and Privacy, IBM Tivoli Software


Rob Byrne - Sun Microsystems <robert.byrne@sun.com>@ietf.org on 11/21/2002
03:40:47 AM

Please respond to robert.byrne@sun.com

Sent by:    ldapext-admin@ietf.org


To:    Shari Galitzer <SGalitzer@cygnacom.com>
cc:    "'ldapext@ietf.org'" <ldapext@ietf.org>
Subject:    Re: [ldapext] information on access control




Shari,

I'm sure others will point you to any recent documents issued on this
(LDUP, Stephens's x.500 acl usage etc.).  The Open group also appears to be
dabbling in this area....

However to give you some perspective as a directory vendor...we feel that
the opportunity has been missed for standard LDAP acl and that the level of
inter-vendor integration/synchronization implied by a standard acl model
(and repl model) will more realistically be achived by meta
directory/directory proxy type solutions.

You will find discussions on this on this list's archive (eg.
subject: moving access control discussion to LDUP) or on the LDUP archive.

Rob.

Shari Galitzer wrote:

Hi,

I'm trying to find some information on current efforts to specify standards
for access control for LDAP directories.  I see access control is an area
being worked on but cannot find any information.  Can you point me to some
information?

Thanks a lot,
Shari Galitzer
Principal Security Engineer
Phone: 608-251-6414
Fax: 608-663-6332

Entrust/CygnaCom


_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

Prev by Date: Re: [ldapext] information on access control
Next by Date: [ldapext] Re: Password policy state attributes
Index(es):
- Chronological
- Thread