[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: AuthzIDs or DNs, but not both

To: Bob Blakley <blakley@dascom.com>
Subject: Re: AuthzIDs or DNs, but not both
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.Org>
Date: Mon, 15 Nov 1999 15:59:30 -0800
Cc: ietf-ldapext@netscape.com
In-reply-to: <045f01bf2fbd$5e734400$24a13994@shaggy.austin.dascom.com>
Resent-date: Mon, 15 Nov 1999 16:01:28 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"lWcj6D.A.DaD.E7JM4"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

At 05:01 PM 11/15/99 -0600, you wrote: 
>Paul writes:
>>If this is going to prove such a bother, I would just prefer that 
>>the whole authzid thing got yanked. I think its a bad idea to let 
>>anyone (even an admin) just declare that they want to be someone 
>>else. A bad idea in that I think its ripe for security abuse.

>I feel some sympathy for this proposal.

Well, I personally support the notion that authorization identities
may not be (visible) LDAP entries.  I just believe we can represent
them as strings of DN syntax and as such see zero need to extend the
protocol and information model to support a second representation.

>Is anyone using authzid?

Except for operational experience, does it matter?  The notion
of authzid is described by an I-D and hence any use of such is
purely experimental.  We should not base the engineering choice
of adding authzid to the protocol/information model because
someone was foolishly deployed it.

References:
- Re: AuthzIDs or DNs, but not both
  - From: Bob Blakley <blakley@dascom.com>

Prev by Date: Re: C API: minor comments
Next by Date: Re: objectclass of the Root DSE
Index(es):
- Chronological
- Thread