[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: AuthzIDs or DNs, but not both
At 05:01 PM 11/15/99 -0600, you wrote:
>Paul writes:
>>If this is going to prove such a bother, I would just prefer that
>>the whole authzid thing got yanked. I think its a bad idea to let
>>anyone (even an admin) just declare that they want to be someone
>>else. A bad idea in that I think its ripe for security abuse.
>I feel some sympathy for this proposal.
Well, I personally support the notion that authorization identities
may not be (visible) LDAP entries. I just believe we can represent
them as strings of DN syntax and as such see zero need to extend the
protocol and information model to support a second representation.
>Is anyone using authzid?
Except for operational experience, does it matter? The notion
of authzid is described by an I-D and hence any use of such is
purely experimental. We should not base the engineering choice
of adding authzid to the protocol/information model because
someone was foolishly deployed it.