[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: C LDAP API: security considerations



Title: RE: C LDAP API: security considerations


> -----Original Message-----
> From: Harald Tveit Alvestrand [mailto:Harald@Alvestrand.no]
> Sent: Wednesday, November 17, 1999 5:23 AM

>
> <SPAN MODE="IETF Policy">
> IMNSHO, this is exactly the wrong thing to have happen in the
> *standard*
> LDAP API. Policy engines cannot be standardized at the
> present stage of our
> ignorance; a standard API should (IMNSHO) be no more than a means of
> creating protocol elements on the wire and state in the state
> machines on
> each end.
>
> It is then up to the vendor (hi vendor!) to provide extended
> APIs that
> build upon the standard LDAP API to encapsulate policy
> decisions by the
> site admin.
> But this functionality SHOULD NOT be standardized and MUST
> NOT be mandatory.
> </SPAN>

I respectfully submit that this is not why most people want a standardized API. What you propose means that the LDAP API becomes an interface for vendors to use to build the _actual_ API layer that applications call. That layer would not be a standard. What people want is a standard API for applications to use, not vendors.

I do not believe that it is necessary to have a standardized policy engine to say that an API is supposed to enforce policy (whatever it is). That's different than saying the API must enforce some particular policy.