[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
IP/DNS subjects - draft-ietf-ldapext-acl-model-08.txt
As we've gone around a couple of times on this issue previously,
I will just note my continued objection to the inclusion of
IP address and DNS based subjects as they are easily spoofed.
I especially dislike that they are NOT RECOMMENDED but MUST
be implemented. I also note that their semantics require
numerous special cases such as abnormal precedence (subjects
w/ ranges, wildcards, and otherwise matching multiple entities
are less specific than authzId based subjects) and grant/deny
semantics.
As the specification allows extension of subject forms, I recommend
that IP address and DNS based subjects be introduce in a document
extending the LDAP ACM specification.
Kurt