[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACM Security Considerations
Kurt,
These are very good points. Just to say that I think that the model of
allowing the LDAP Mechanism to control access to these ACM attributes
itself (which I believe is the natural and simplest model) is compatible
with the requirements you outline--once we have a way to express the
authentication level of subjects.
For the "out-of-directory" policy point...I can see a strong need for that
and but it clearly jepordizes interoperability. Are there other standard
technolgies that have this concept that we learn from...?
Rob.
"Kurt D. Zeilenga" wrote:
> I think this section needs additional flushing out. Here
> are some comments in this area:
>
> I believe some discussion about what can happen if an attacker is able
> to add/modify/delete ldapACI and other ACM attributes (such
> as the mechanism) might have. For example, if the attacker
> were able to change the mechanism, all access to all users
> might be denied. If unauthorized access to ldapACI were gained,
> the user could grant or deny access for not only herself but
> other users. Etc.
>
> Since the existing concern states ACI attributes are
> "security-sensitive information" but only states
> "unauthorized modification whenever it is stored or transmitted"
> should be safeguarded. I would suggest add someing about in the
> clear access. That is, if the information is truely security-sensitive
> than allowing any access is an issue. [many security experts believe
> that details of security policy and it's implemention should be
> safeguarded]. Implementations might consider requiring strong
> authentication and/or privacy and integrity safeguards before
> allowing access to ACIs.
>
> You might also note that implementation might want to provide
> out-of-directory restrictions upon what accesses in-directory
> can grant/deny. [I believe this is already allowed by the
> spec via the "No mechanisms are defined in this document to
> control access to access control information." That is,
> an implementation is free to return unwillingToPerform (or
> other suitable resultCode) if there is some administrative
> control which prohibit from performing the update operation.
> [I believe this MUST be allowed. In some (GOV,MIL,B2B)
> environments, "dynamic" (in directory) access control
> information must be restricted by "static" (external to
> directory configuration) means.]
>
> Kurt