[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Standards and APIs (C LDAP API: security considerations)
Graham Klyne wrote:
>
> >> One man's application is another man's vendor.
> >>
> >> The classical reason for standard APIs is so that you can have one
> >> application running on multiple platforms, or multiple OS
> >> versions, and have the results of that application be the same.
> >
> >I don't disagree as far as it goes -- I'm just adding "results of that
> >application be the same when the configured policies are the same".
>
> I'd suggest that to achieve this in a _standard_ API, one would also need
> to specify the policy configuration options that must be provided, and
> their effect on the behaviour of an API implementation, and possibly even
> the mechanisms for configuring policies. Without this, applications that
> wish to depend on some particular (policy-definied) behaviour are left out
> in the cold; or, they use an API subset for which full semantics are
> defined, which brings us back to Harald's position.
>
> I suspect that policy configuration could turn out to be a rathole.
I strongly agree. My position is that the C LDAP API standard which we
have been trying to reach consensus on for some time should not attempt
to address policy for chasing of referrals. I think this aligns pretty
well with Harald's position as well. If there is a lot of value in
providing policy-based decision making on top of or beneath the C LDAP
API, that should be tackled as an optional extension to the API. I
would also argue that any such extension would be experimental at this
time because we have very little (no?) operational experience with
application neutral policy based referral chasing in LDAP.
--
Mark Smith
iPlanet Directory Architect / Sun-Netscape Alliance
My words are my own, not my employer's. Got LDAP?