[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: subjects in LDAP ACMs
"Kurt D. Zeilenga" wrote:
>
> At 06:00 AM 4/25/01, robert byrne wrote:
> >The only explicit reference to these "things" I can find in 2820
> >actually refers to them as the "Access context" and doesn't have
> >anything else to say about them:
>
> As I noted previously, RFC 2820's use of the terminology is a bit
> inexact. However, I believe the intent of the stated requirements is
> clear enough. I won't hair split over them.
>
> I just reiterate my basic position:
>
> Support for multiple orthogonal subject factors is a rat hole
> (consider precedence and "effective rights" issues).
If factors complicate or clash with other parts of the model then that
could be grounds for dropping them from the model. I wouldn't
anticipate a problem for precedence--I think you could define away any
problems there. The impact on getEffective rights is more serious--I'm
planning to have a look at getEffectiveRights...
Rob.
>
> Support for a single subject factor which includes elements
> not drawn from the "natural" LDAP name space has limited use
> subject to significant security considerations.
>
> The need for non-"natural" subject factors could be addressed
> via other means.
>
> For these and other reasons, I believe it best for the LDAP ACM
> not support multiple orthogonal subject factors nor support
> a single subject factor which includes factors not drawn from
> the "natural" LDAP name space.
>
> Lastly, I believe we need to keep the LDAP ACM simple. Not
> just for security ask, but for sake of timely completion of this
> work.
>
> Kurt