[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: increasing complexity - draft-ietf-ldapext-acl-model-08.txt
> > - remove authnLevel. Don't add integrity/confidentiality
> > factors.
>
> Having read the draft, either the authnLevel should be
> removed or just auth mechanisms listed. The current proposed
> bucketization of authnLevel is a receipe for interoperability
> nightmares.
>
I disagree that this is an interop nightmare. When an admin
is constructing an ACI using an authnLevel, they are interested
in the probability that an authenticated user is who they claim
to be.
Two systems may allow different mechanisms, but the mechanisms
can be mapped onto the different strengths, so I think it would
aid interop.
The strength level 'buckets' also help when a mechanism is depricated
for some reason (eg Cram-MD5 would not have been categorized as
weak a few years ago), or when a new mechanism is added to the server.
Mark