[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: C LDAP API: security considerations
At 23:03 13.11.99 -0800, Paul Leach (Exchange) wrote:
Suggest one plausible way in which it is possible to specify policy to an
application to do anything with the flexibility you insist must be present.
I.e., suppose the application is informed that it has been given a referral.
When and how will it decide to chase it, and when not?
One plausible way, modelled on IE5's "server zones":
The UI stores a list of all servers encountered during searchs or referrals.
By default, all servers are listed in the "anonymous" zone, the UI chases
referrals to these, and gives no authentication data.
For servers in the "internal" zone, which can be all server names matching
"domain", or explicitly enumerated, the UI chases referrals, and uses RSA
authentication with the company certificate.
For servers in the "expensive" zone, the UI will pop up a dialog box before
chasing a referral.
Elaborate until user confused :-)
Note: These are *exactly* the kinds of considerations that lead to popup
boxes today when chasing links between HTTP and HTTPS pages.
What makes sense in HTTP can't be called totally meaningless in LDAP.
Harald
--
Harald Tveit Alvestrand, Maxware, Norway
Harald.Alvestrand@maxware.no