[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Comments on aci-model-04
Date forwarded: Tue, 19 Oct 1999 07:14:15 -0700 (PDT)
From: "Miklos, Sue A." <samiklo@missi.ncsc.mil>
To: "'d.w.chadwick@salford.ac.uk'" <d.w.chadwick@salford.ac.uk>,
Ellen Stokes <stokes@austin.ibm.com>, ietf-ldapext@netscape.com
Subject: RE: Comments on aci-model-04
Date sent: Tue, 19 Oct 1999 10:14:27 -0400
Forwarded by: ietf-ldapext@netscape.com
> David, Ellen,
>
> Would the ACDF processing of the semantic content contained within the
> 'group' against the credentials presented be different between the two
> usages?
Yes it would. From examining the ACI on its own and the DN of the
requester, it is not possible to tell if the requester is granted or
denied access with the definition of group as it stands. However, if
group and subtree are clearly differentiated, then for the latter the
ACDF can immediately tell if the requester is within the subtree and
thereby make a decision. For group, the ACDF will need to retrieve
the GoN Members and check the requester's DN against the list. But
if the Group was a subtree there will be no GoN Members to retrieve.
David
>
> Could the processing be restrictive (exact match / equality) or permissive
> (intersection / subset) in either case?
>
> Sandi Miklos
>
> -----Original Message-----
> From: David Chadwick [mailto:d.w.chadwick@salford.ac.uk]
> Sent: Tuesday, October 19, 1999 9:26 AM
> To: Ellen Stokes; ietf-ldapext@netscape.com
> Subject: Re: Comments on aci-model-04
>
>
>
> >
> > In implementation, group and role tend to both be implemented as a group
> > of names. However, a group is just a collection of names where the group
> > name can be used to shorthand access to some object or attribute.
>
> Ellen,
>
> This is the bit I am objecting to, i.e. the attaching of two different
> semantics to group - one where the name of the group is a shorthand for
> the group e.g. o=ibm,c=us, - the other where the name of the group points
> to a group of names object where the enclosed names bear no relationship
> to the name of the group e.g.cn=ldapext, dc=netscape, dc=com.
>
> I therefore am proposing that you have two separate values for
> dntype, to reflect the differences. Lets call them subtree and group.
>
> David
>
> ***************************************************
>
> David Chadwick
> IS Institute, University of Salford, Salford M5 4WT
> Tel +44 161 295 5351 Fax +44 161 745 8169
> Mobile +44 790 167 0359
> Email D.W.Chadwick@salford.ac.uk
> Home Page http://www.salford.ac.uk/its024/chadwick.htm
> Understanding X.500 http://www.salford.ac.uk/its024/X500.htm
> X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm
> Entrust key validation string MLJ9-DU5T-HV8J
>
> ***************************************************
>
***************************************************
David Chadwick
IS Institute, University of Salford, Salford M5 4WT
Tel +44 161 295 5351 Fax +44 161 745 8169
Mobile +44 790 167 0359
Email D.W.Chadwick@salford.ac.uk
Home Page http://www.salford.ac.uk/its024/chadwick.htm
Understanding X.500 http://www.salford.ac.uk/its024/X500.htm
X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm
Entrust key validation string MLJ9-DU5T-HV8J
***************************************************