[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL for PGP [Virus checked (@MLP)] [Virus checked]

That's what I thought. Do you have any idea why these PGP clients need write permission throughout the whole tree, not just only the PGP Key branch?


At 21:12 09.01.2002 +0100, you wrote:

the interpretation is quite simple.
It goes from top to bottom and stops at the first match

On Wednesday 09 January 2002 13:28, you wrote:
> access to    dn=".*,o=PGP Keys,dc=atrete,dc=ch" by * write
Anybody has write access to anything below o=PGP Keys,dc=atrete,dc=ch

> access to dn=".*,dc=atrete,dc=ch" by * write
Anybody has write access to anything below dc=atrete,dc=ch

> access to dn=".*,dc=ch" by * read
Anybody has read access to anything below dc=atrete,dc=ch
But remember: anything below dc=atrete,dc=ch is writable
because of the "stop at first match" rule.

> access to * by * write
Anybody has write access to anything else

IMHO the first line is not necessary, since it should be covered
by the second line.

1 A very big part of your directory is writable by anybody
  (including anonymous).
  [This is very funny if you use your directory to publish
  PGP keys, since anybody can publish faked PGP keys.]
2 If you only have entries below dc=atrete,dc=ch in your directory,
  the only entry that is read-only is the entry dc=atrete,dc=ch.
3 If you have entries below dc=ch in your directory that are not below
  cd=atrete,dc=ch, they are all read-only


Peter Marschall     |   eMail: peter.marschall@mayn.de
Scheffelstraße 15   |          peter.marschall@is-energy.de
97072 Würzburg      |   Tel:   0931/14721
PGP:  D7 FF 20 FE E6 6B 31 74  D1 10 88 E0 3C FE 28 35

Alejandra Moreno Espinar
at rete ag

mailto:alejandra.moreno@atrete.ch, http://www.atrete.ch
snail mail: Oberdorfstrasse 2, P.O. Box 674, 8024 Zurich, Switzerland
voice: +41-1-266 55 55, direct: +41-1-266 55 91, fax: +41-1-266 55 88