[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: AuthMeth issue summary

To: Mark Wahl <M.Wahl@INNOSOFT.COM>
Subject: Re: AuthMeth issue summary
From: Rob Byrne - Sun Microsystems <rbyrne@france.Sun.COM>
Date: Thu, 09 Dec 1999 16:18:09 +0100
Cc: ietf-ldapext@netscape.com
Organization: Sun Microsystems
References: <8516.944599939@threadgill.austin.innosoft.com>
Resent-date: Thu, 09 Dec 1999 07:19:03 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"FPmtZ.A.Mb.Xh8T4"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Hi Mark,

If we had all the items you list that would be SASL-heaven...have you any idea when
these SASL work-items will start to be mapped out in more detail ?

Rob.
--iPlanet Directory Group

Mark Wahl wrote:

> One background item is that we are trying to provide interoperability
> between LDAP users of SASL in advance of all of the SASL framework being
> completed as PS RFCs.  Some of your issues are more generic SASL discussion
> points.   In authmeth-04 as part of a compromise between some of the groups of
> implementors / users of authorization IDs in LDAP, we provided a specification
> of authorization identities that allows for both DNs and arbitrary user
> identities. (RFC 2222 4. #5 states that a protocol defines how the authorization
> identity is to be interpreted). I would hope that there would be a SASL work
> item at some point to more fully define how authorization identities can be
> used that is independent of the underlying protocol: e.g. I want to have a
> common authorization identity for a Web site accessed via HTTP, an IMAP store,
> an LDAP directory, etc.  Furthermore I would want to ensure that access control
> systems which use authorization identities in implementations of each of
> the underlying protocols can make interoperable decisions, such as how to
>  - validate an authorization identity (e.g. identities with a expiry date)
>  - compare two authorization identities for equality,
>  - map different kinds of real-world identities to authorization ids,
>  - express containment, wildcards, role<->occupant and group<->member
>    relationships between authorization identities,
>  - know whether an authorization identity is a capability and should be
>    protected as such etc
> Once this is done by some SASL working group, then it would presumably
> update 2222 section 4 #5 so that the interpretation of authorization identity
> is not purely a protocol-specific function, and then the next revisions to
> the LDAPv3, IMAP, HTTP etc RFCs could move the protocol-specific identity
> information out into its own documents.
>
> Mark Wahl, Directory Product Architect
> Innosoft International, Inc.

References:
- Re: AuthMeth issue summary
  - From: Mark Wahl <M.Wahl@INNOSOFT.COM>

Prev by Date: Re: LDAPURLs and Referrals (was: Draft Minutes)
Next by Date: Re: AuthzIDs or DNs, but not both
Index(es):
- Chronological
- Thread