[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authentication Level



David,

This still seems like a security "feature" rather than a logical or security "MUST".
What I mean is the deny/authnlevel behaviour you are proposing seems to be a
shorthand for a behaviour that can be expressed without making a special case of
deny/authnlevel.
So, where you would "deny Rob Byrne with authnlevel TLS + certificate" I would "deny
Rob Byrne with authnlevel TLS + certificate" _and_ "deny ALL with any other
authnlevel".

If your proposal is just a shorthand then I'm wondering if having the two policies
stated explicitly isn't better.
If you're proposal is required by the model...then I guess you are going to tell me
so...

Rob.

David Chadwick wrote:

> Date sent:              Tue, 18 Jul 2000 10:50:03 +0200
> From:                   Rob Byrne - Sun Microsystems <Robert.Byrne@france.sun.com>
> Organization:           Sun Microsystems
> To:                     d.w.chadwick@salford.ac.uk
> Copies to:              ietf-ldapext-acm@OpenLDAP.org
> Subject:                Re: Authentication Level
>
> >
> > David,
> >
> > I think the behaviour of authnLevel is a mattter of definition and I
> > do not see why we need to make a special case of the authnLevel
> > subject setting when a deny() is present.
>
> Rob
>
> Its a matter of security. Say I want to deny Rob Byrne, who must
> be authenticated with TLS + certificate, then everyone who is NOT
> TLS + certificate authenticated MUST be denied access as well,
> otherwise Rob Byrne can log in unauthenticated and not be denied
> access.
>
> In other words, to prove that I am not denied access I must log in
> with TLS + certificate to prove I am David Chadwick and not Rob
> Byrne. In this way, deny works differently to grant access.
>
> David
>
> >
> > The other thing is I don't think there is an ordering defined on the
> > values of this keyword--so that you could even say something like "at
> > least the level specified".  Maybe it's just a badly named keyword ?
> >
> > Rob.
> >
> > David Chadwick wrote:
> >
> > > Ellen]
> > >
> > > An important point about the authentication level (which I could not
> > > find in the draft) is that for the permission to be granted the
> > > subject must have been authenticated to at least the level
> > > specified, but that if the right is a deny, then EVERYONE is denied
> > > access unless they have been authenticated to at least the level
> > > specified in authnLevel.
> > >
> > > David
> > >
> > > ***************************************************
> > >
> > > David Chadwick
> > > IS Institute, University of Salford, Salford M5 4WT
> > > Tel +44 161 295 5351  Fax +44 161 745 8169
> > > Mobile +44 790 167 0359
> > > Email D.W.Chadwick@salford.ac.uk
> > > Home Page  http://www.salford.ac.uk/its024/chadwick.htm
> > > Understanding X.500  http://www.salford.ac.uk/its024/X500.htm
> > > X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm
> > > Entrust key validation string MLJ9-DU5T-HV8J
> > >
> > > ***************************************************
> >
> >
>
> ***************************************************
>
> David Chadwick
> IS Institute, University of Salford, Salford M5 4WT
> Tel +44 161 295 5351  Fax +44 161 745 8169
> Mobile +44 790 167 0359
> Email D.W.Chadwick@salford.ac.uk
> Home Page  http://www.salford.ac.uk/its024/chadwick.htm
> Understanding X.500  http://www.salford.ac.uk/its024/X500.htm
> X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm
> Entrust key validation string MLJ9-DU5T-HV8J
>
> ***************************************************