[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: protocol-22 comments



>>>> Hallvard B Furuseth <h.b.furuseth@usit.uio.no> 3/9/04 7:20:19 AM
>>>
>> 4.2. Bind Operation
>
>> Authorization is the use of this authentication information when
>> performing operations.
>
>No, authorization need not make use of the authentication
information.
>One could e.g. base it on IP addresses only (but only for read
>operations, I would hope:-)
>
>Nitpick: The word "use" is wrong. Putting the currently active
>authentication identity in LDAPResult.diagnosticMessage is "use" of
auth
>info, but not authorization. Not sure if this is worth bothering
with,
>though.
>
>> Authorization MAY be affected by factors
>> outside of the LDAP Bind Request, such as those provided by lower
>> layer security services.
>
>Here is a suggestion, though it's a bit long. Maybe the last sentence
>should be dropped.
>
>Authorization is the decision of which access an operation has to
>the directory. It may be affected by many factors, often including
>the association's authorization identity, which again was derived
>from or authorized via the authentication information.
>Authorization may be affected by factors outside of the LDAP Bind
>Request, such as those provided by lower layer security services.

I like the change but it still seems too specific. How about:
 
Authorization is the process of enforcing policy while performing
operations. Among other things, the process of authorization takes as
input authentication information obtained during the bind operation
and/or other acts of authentication (such as lower layer security
services).