[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: AuthzIDs or DNs, but not both



At 01:47 PM 11/15/99 -0500, Curtin, William wrote:
>Perhaps the use of the word INTERNAL was a poor choice. By internal I meant
>that the server would map the uAuthzId used for authentication into the
>distinguished name associated with the uAuthzId to support operational
>attributes, access control, etc. Is there a better way to phrase it?

The key issue I am raising is whether or not it makes sense to have more
than one protocol representation of authorization principals.  I believe
only one is necessary and that a second is an unnecessary complication.

The fact that a server can map the uAuthzId to a DN implies
that the client can map a uAuthzId to a DN.  Hence, there is
no need for the second protocol representation as the client can do
this mapping.  We just need to describe how the mapping should be
done to make it generally useful.

Kurt

----
Kurt D. Zeilenga		<kurt@boolean.net>
Net Boolean Incorporated	<http://www.boolean.net/>