[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: IP Address in the ACM (Was: Comments on Access ControlModel - BNF)
I don't think we should put optional things in the spec--it will create
interoperability problems.
I don't see why you are particularly down on ip address subjects, but a
subject with simple authentication doesn't seem to bother you. I mean,
in practice I would say there is not much difference in the risk
involved in granting rights based on ip addresses and granting rights to
a subject with an authentication level of "simple".
The point is that, depending on the environment, these might well be
useful and acceptable ways of granting rights. As such I think we
should keep the ip address subject, with the kind of warnings you
suggest.
Rob.
"Kurt D. Zeilenga" wrote:
>
> At 10:59 AM 4/4/01 -0700, Paul Leach wrote:
> >I hope that IP addresses as subjects are OPTIONAL, and that the security
> >considerations section is appropriately negative on their security.
> >
> >In fact, I believe they should be a SHOULD NOT in the spec -- i.e., you
> >must have good reason to believe that they are secure before you use
> >them.
>
> I concur.
>
> I also note that DNS names have all the security concerns of
> the IP Addresses they are derived from and the DNS system
> used to generate them.