- From: Steve Kille <S.Kille@isode.com>
- Date: Sat, 27 Mar 1999 07:18:29 +0000
- To: Keith Moore <moore@cs.utk.edu>
- Cc: discuss@apps.ietf.org
Keith, I think it was useful for you to send this message. I've looked at this document as a WG member, and it seems broadly sensible. The problem is not this document, but how it ties into a broader picture. There are a few related things: 1) What is LDAP. Some of us view it as an access protocol, with one of its key benefits being that it is a "lowest common denominator" that can connect into NDS, X.500, Oracle Databases, or servers designed specifically to support LDAP. Others view that LDAP is synonymous with "Internet Directory". To me, the former view is a massive strength, which has enabled everyone to agree on LDAP! Whatever, I think that there needs to be a general view taken on this, and it goes much broader than the LDAP WG. 2) I think that what we are talking about here is "Internet Directory Access Control". It is not just to do with the access protocol. 3) A key issue for Internet Directory Access Control, is whether to use X.500 Access Control. This has been discussed in the WG, and there is a strong and clear view in the WG, that this should be looked at seriously. I think that there has been a fairly clear view that X.500 Access Control meets the functional requirements. If it does not, there is a good liaison with the X.500 cttee, and I am sure that they would look at dealing with further requirements. There are some that think X.500 Access Control is the right direction. For the most part, these people are just getting on with using this, as they view the spec to be done. Others think that X.500 belongs with the dinosaurs, and are proposing specifications. One group writing a specification have written a document explaining why they don't like X.500. I don't think anyone has taken a more objective view here. I view that having multiple specifications here will hurt (much more than replication, where co-existence of multiple protocols would not really be a big deal). I feel strongly that the IETF should adopt X.500 Access Control for the Internet Directory: it will do the job. I think that those writing the ACL specs are suffering from NIH, and not taking a broader view. The group proposing the ACL specs are using this requirements doc as a mechanism to promote their specification (i.e., it has a hidden agenda). I think that there is a third (silent) group, whose commercial interests would prefer not to see a clean and coherent resolution. 4) It may make sense to look at how this ties in to access control for related services, such as ACAP and IMAP. Steve Kille On Fri, 26 Mar 1999 18:18:44 -0500 Keith Moore <moore@cs.utk.edu> wrote: > Folks, > > The LDAPEXT working group has submitted a document called > Access Control Requirements for LDAP for IESG approval. > I'd appreciate some review of this document by the extended community. > > The issue is not so much whether we should publish the document > or whether they've dotted their i's and crossed their t's. > What I want to know is, do people think that these are reasonable > design goals for LDAP ACLs? > > The reason I'm taking this unusual step is that I'd rather have > their design goals reviewed now, than to question them when the > protocol specification goes to Proposed Standard. In addition > to this list, I've also asked IESG to recruit security and > operational experts to review this. > > Keith > > p.s. yes, we should change the title to "design goals" rather than > "requirements", and this should be published as Informational rather > than Proposed Standard (as it was Last Called). We will ask for > these things to be fixed in the next revision. But right now we're > more concerned with the criteria in the document, and we don't want > to ask the authors to revise the document to fix the wording > before we submit it for additional review.
Received on Saturday, 27 March 1999 02:22:25 UTC