[Date Prev][Date Next]
Re: protocol-22 comments
>>>> Hallvard B Furuseth <firstname.lastname@example.org> 3/9/04 7:20:19 AM
>> 4.2. Bind Operation
>> Authorization is the use of this authentication information when
>> performing operations.
>No, authorization need not make use of the authentication
>One could e.g. base it on IP addresses only (but only for read
>operations, I would hope:-)
>Nitpick: The word "use" is wrong. Putting the currently active
>authentication identity in LDAPResult.diagnosticMessage is "use" of
>info, but not authorization. Not sure if this is worth bothering
>> Authorization MAY be affected by factors
>> outside of the LDAP Bind Request, such as those provided by lower
>> layer security services.
>Here is a suggestion, though it's a bit long. Maybe the last sentence
>should be dropped.
>Authorization is the decision of which access an operation has to
>the directory. It may be affected by many factors, often including
>the association's authorization identity, which again was derived
>from or authorized via the authentication information.
>Authorization may be affected by factors outside of the LDAP Bind
>Request, such as those provided by lower layer security services.
I like the change but it still seems too specific. How about:
Authorization is the process of enforcing policy while performing
operations. Among other things, the process of authorization takes as
input authentication information obtained during the bind operation
and/or other acts of authentication (such as lower layer security