Re: [ldapext] draft-ietf-boreham-numsubordinates-01.txt

["David Boreham" <david_list@boreham.org>]

> You're raising some interesting issues regarding access control. After
> thinking about it I'd like to see that the statement above removed from
the
> draft. The value of numSubordinates should not try to reflect the client's
view.

The original motivation behind the statement in question was
to avoid leaking information otherwise restricted by access control,
via the numSubordinates attribute.

Of course any implementation which actually does generate
a different numSubordinates value depending upon access
control to the subordinate entries is likely to be rather inefficient.

I'm not aware of an implementation which actually does this.

So provided there aren't objections, I'm happy to remove the
statement.

It may be appropriate to add something to the effect that
access to the numSubordinates attribute by a client may
compromise attempts to restrict access to the subordinate tree.

I don't believe that the specific access control mechanism
matters here (but correct me if I'm wrong).





_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext