[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Access Control

To: Dave Crocker <dcrocker@xxxxxxxxxxxxxxx>
Subject: Re: Access Control
From: Ned Freed <Ned.Freed@xxxxxxxxxxxx>
Date: Mon, 29 Jul 1996 13:23:27 -0700 (PDT)
Cc: Frank Dawson <fdawson@xxxxxxxxxxxxxxx>, ietf-calendar <ietf-calendar@xxxxxxx>
In-reply-to: "Your message dated Mon, 29 Jul 1996 11:06:59 -0700"<>
References: <>
Sender: owner-ietf-calendar@xxxxxxx

> 	fact of life:  there is no IETF authentication standard in general
> deployment and I don't think there is anything that one would even call a
> standard.  This is a problem on several fronts and one which I think we
> should push for solution to, this year.

Whether or not this assessment is correct depends very much on what you mean by
"authentication". If you're talking about end-to-end authentication across a
store-and-forward protocol like email, then yes I agree absolutely. But if
you're talking about point-to-point authentication, I disagree. We have
standard solutions in this area for IMAP4 and POP3 that are in fact in fairly
widespread use.

> 	The ACAP working group (configuration protocol, effort derivative
> of IMAP) has an authorization spec that it is considering.

Both ACAP and SMTP are in the process of acquiring the same technology that is
being used with POP3 and IMAP4. Having a common authentication framework for
all of these is proving to be a huge win for implementors.

Note also that authentication is only one part of access control. Both IMAP4
and ACAP share a core access control model that I would strongly recommend as a
starting point for any access control model for calendering. There are obvious
differences, of course, but having these be as close to each other as possible
would again be a major win in my opinion.

> 	I'm not clear about the distinction you are making between
> authorization and access control.  I'm used to treating them as synonyms.

Authorization is normally just a means of identifying someone. Access control
is what happens after that: Given that you're so-and-so, there has to be some
mechanism that defines what you can or cannot do and what you can or cannot do
it to. Acess control therefore involves a lot of stuff other than simple
authentication:

(1) Defining an object space of things to be secured.
(2) Define what can be done to these objects and thus what rights can be
    granted or denied to different users.
(3) In the case of hierarchical object spaces, defining how rights are
    inherited and propogated. This includes specification of default rights
    for newly created objects.
(4) Defining the interfaces to present all this to applications.

				Ned

Follow-Ups:
- Re: Access Control
  - From: Dave Crocker

References:
- Access Control
  - From: Frank Dawson
- Re: Access Control
  - From: Dave Crocker

Prev by Date: Security
Next by Date: Re: Access Control
Previous by thread: Re: Access Control
Next by thread: Re: Access Control
Index(es):
- Date
- Thread