increasing complexity - draft-ietf-ldapext-acl-model-08.txt

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

I would like to voice my general opinion that the ACM is
may be overly complex.  I believe the ACM should
be much simpler.

I offer for (re)consideration:

- instead of defining permissions which parallel LDAP
  operations, define permissions based upon the type
  of access being made.  That is, "write" permission
  would be needed by subject to update a particular
  target irregardless of what operation was used to
  to request the update.

- return to one ACI attribute and handle entry/subtree
  semantics via target scope in the value.  This scope
  would be more easily extended to support non-entry
  and non-subtree scopes (such as one-level, children,
  etc.).

- eliminate one of the syntax variants.  I suggest using
  just a ASN.1 described syntax to be ";binary" transferred.
  (a string representation of this could be separately defined
  for presentation to users, if desired).

- remove all mention of ldapACIsubentry from the I-D and
  generalize the out-of-scope statement to "prescriptive
  ACIs and scoping via subenties is beyond the scope of
  this document".

- remove ipAddress and DNS subjects as they require special
  semantics (as well as for the security considerations
  separately noted).

- remove authnLevel.  Don't add integrity/confidentiality
  factors.

- don't require recursive expansion of roles and groups
  (implementation complexity).

Kurt