Re: Access Control

[Dave Crocker <dcrocker@xxxxxxxxxxxxxxx>]

Frank,

At 11:51 AM -0700 7/29/96, Frank Dawson wrote:
>We probably need to differentiate between a few of the security terms that
>have
>been used in this list and at the previous calendaring summit meeting. I
>think
>that these were AUTHORIZATION, AUTENTICATION, and ACCESS CONTROL.
>
>Typically, authorization and authentication would be done within the service
>level. If we are using an email service access, then authorization might map
>through the originator's SMTP address. The authentication might be mapped
>using
>some current IETF authentication service (eg, certificates).

	fact of life:  there is no IETF authentication standard in general
deployment and I don't think there is anything that one would even call a
standard.  This is a problem on several fronts and one which I think we
should push for solution to, this year.

	The ACAP working group (configuration protocol, effort derivative
of IMAP) has an authorization spec that it is considering.

>In many calendaring/scheduling systems, access control is defined on a per
>user
>or per group basis by the owner of the calendar that is being "accessed".

	I'm not clear about the distinction you are making between
authorization and access control.  I'm used to treating them as synonyms.
Please elaborate.

d/

--------------------
Dave Crocker                                            +1 408 246 8253
Brandenburg Consulting                             fax: +1 408 249 6205
675 Spruce Dr.                                 dcrocker@brandenburg.com
Sunnyvale CA 94086 USA                       http://www.brandenburg.com

Internet Mail Consortium               http://www.imc.org, info@imc.org