- From: Sukanta Ganguly <sganguly@novell.com>
- Date: Wed, 22 Oct 1997 14:14:43 -0600
- To: paulle@microsoft.com, hep@netscape.com, masinter@parc.xerox.com
- Cc: yarong@microsoft.com, w3c-dist-auth@w3.org
Hi,
I have a hard time understanding why would the "who" contain the
information of "from where". The identity should be maintained uniquely by
"who" irrespective of from where the connection is made.
Sukanta Ganguly
>>> Paul Leach <paulle@microsoft.com> 10/22 1:14 PM >>>
The traditional way of dealing with this is instead to say that the
"who" can contain lots of internesting info, such as where you are
connecting from. In other words, if it matters (for secuyrity purposes)
that "who" connecting from home and "who" connecting from work, then
they are different "who"s -- i.e., they are different principals.
As such, this is all completely orthogonal from the ACL issue: we
explicitly said that the form of principal names is a matter for the
authentication mechanism, not for ACLs. If you want to include "where
from" information in principal names, that's fine, as long as you
propose an authentication mechanism that can securely verify such
information.
> ----------
> From: Larry Masinter[SMTP:masinter@parc.xerox.com]
> Sent: Wednesday, October 22, 1997 9:08 AM
> To: Howard Palmer
> Cc: Yaron Goland; W3c-Dist-Auth (E-mail)
> Subject: Re: ACL Draft
>
> To put it another way, you'd like
>
> > The basic model for access control, informally expressed, is that
> > who you are determines how you can access a resource....
>
> to change, so that
>
> the basic model for access control is that
> who you are and where you're connecting from determines ...
>
> Larry
> --
> http://www.parc.xerox.com/masinter
>
Received on Wednesday, 22 October 1997 16:15:44 UTC