W3C home > Mailing lists > Public > ietf-discuss@w3.org > March 1999

Re: need review for draft-ietf-ldapext-acl-reqts-01.txt

From: Steve Kille <S.Kille@isode.com>
Date: Sat, 27 Mar 1999 07:18:29 +0000
To: Keith Moore <moore@cs.utk.edu>
Cc: discuss@apps.ietf.org
Message-ID: <EXECMAIL.990327071829.E@ent.isode.com>

I think it was useful for you to send this message.

I've looked at this document as a WG member, and it seems broadly sensible.

The problem is not this document, but how it ties into a broader picture.  
There are a few related things:

1) What is LDAP.   Some of us view it as an access protocol, with one of its
key benefits being that it is a "lowest common denominator" that can connect
into NDS, X.500, Oracle Databases, or servers designed specifically to 
support LDAP.   Others view that LDAP is synonymous with "Internet 
Directory".   To me, the former view is a massive strength, which has 
enabled everyone to agree on LDAP!  Whatever,  I think that there needs to 
be a general view taken on this, and it goes much broader than the LDAP WG.

2) I think that what we are talking about here is "Internet Directory Access
Control".  It is not just to do with the access protocol.   

3) A key issue for Internet Directory Access Control, is whether to use 
X.500 Access Control.  This has been discussed in the WG, and there is a 
strong and clear view in the WG, that this should be looked at seriously.   
I think that there has been a fairly clear view that X.500 Access Control 
meets the functional requirements.   If it does not, there is a good liaison
with the X.500 cttee, and I am sure that they would look at dealing with 
further requirements.   There are some that think X.500 Access Control is 
the right direction.  For the most part, these people are just getting on 
with using this, as they view the spec to be done.   Others think that X.500
belongs with the dinosaurs, and are proposing specifications.   One group 
writing a specification have written a document explaining why they don't 
like X.500.   I don't think anyone has taken a more objective view here.  I 
view that having multiple specifications here will hurt (much more than 
replication, where co-existence of multiple protocols would not really be a 
big deal).   I feel strongly that the IETF should adopt X.500 Access 
Control for the Internet Directory: it will do the job.   I think that those
writing the ACL specs are suffering from NIH, and not taking a broader view.
The group proposing the ACL specs are using this requirements doc as a 
mechanism to promote their specification (i.e., it has a hidden agenda).
I think that there is a third (silent) group, whose commercial interests 
would prefer not to see a clean and coherent resolution.

4) It may make sense to look at how this ties in to access control for 
related services, such as ACAP and IMAP.

Steve Kille

On Fri, 26 Mar 1999 18:18:44 -0500 Keith Moore <moore@cs.utk.edu> wrote:

> Folks,
> The LDAPEXT working group has submitted a document called
> Access Control Requirements for LDAP for IESG approval.
> I'd appreciate some review of this document by the extended community.
> The issue is not so much whether we should publish the document
> or whether they've dotted their i's and crossed their t's.
> What I want to know is, do people think that these are reasonable 
> design goals for LDAP ACLs?  
> The reason I'm taking this unusual step is that I'd rather have 
> their design goals reviewed now, than to question them when the 
> protocol specification goes to Proposed Standard.  In addition 
> to this list, I've also asked IESG to recruit security and 
> operational experts to review this.
> Keith
> p.s. yes, we should change the title to "design goals" rather than 
> "requirements", and this should be published as Informational rather 
> than Proposed Standard (as it was Last Called).  We will ask for 
> these things to be fixed in the next revision.  But right now we're 
> more concerned with the criteria in the document, and we don't want 
> to ask the authors to revise the document to fix the wording  
> before we submit it for additional review.
Received on Saturday, 27 March 1999 02:22:25 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:08:05 UTC