[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: subjects in LDAP ACMs
"Kurt D. Zeilenga" wrote:
>
>
> I see a few major considerations. In particular, an attack upon
> a weak mechanism could be used to gain access requiring strong
> authentication. That is, a password exposed by use of simple bind
> could be used to gain access via DIGEST-MD5.
>
This is certainly a deployment consideration. At the same time the
point is somehow trivial--in security terms, all bets are off for a
client who exposes his authentication credentials.
> >Finally what we are discussing here are "factors" not "subjects" and so
> >I don't think they are ruled out by U2.
>
> Authorization identities are one type of factors. There are
> numerous types of factors which could be used to make access
> control decisions. I believe RFC 2820 and this I-D uses the
> term subject to refer to any kind of factor derived from or
> provided from the client's LDAP association.
> "Security subject - An entity in an active role to which a
> security policy applies." [RFC2820]
>
> "This policy data describes security-relevant characteristics
> of the requesting subject and the rules which govern the use
> of the target object." [I-D]
>
> I assume U2 applies not only to authorization identities but
> all factors associated with the subject. All of the factors
> you suggest relate directly to the entity which the security
> policy applies and hence are "subject factors" or "subjects".
>
The only explicit reference to these "things" I can find in 2820
actually refers to them as the "Access context" and doesn't have
anything else to say about them:
"Access context - The context, in terms of such variables as
location,
time of day, level of security of the underlying associations, etc.,
in which an access to a security object is made."
Rob.
> Kurt