Re: LDAPv3 Replication Access Control Design Team Report

[John McMeeking <jmcmeek@xxxxxxxxxx>]

Kurt,

It's been a while since I've dabbled in "necessary and sufficient" ;-)

I'll grant that replication of access control attributes (or other policy
information) is not "sufficient" to ensure equivalent enforcement of that
policy on different servers, though in some cases (perhaps quite common),
it will be sufficient.  You earlier referenced a note that explained that
quite well.

Replication of access control information (where the specific scheme has
any attributes to replicate) is, however, "necessary."  And a few of us
think that a standard framework for access control would go a long way
towards enabling LDUP to satisfy the necessary conditions that are within
the realm of LDUP.  We can use that framework to specify which operational
attributes should or should not be replicated under given agreements.


John  McMeeking



                                                                                                                             
                      "Kurt D.                                                                                               
                      Zeilenga"                To:       Timothy Hahn/Durham/IBM@IBMUS                                       
                      <Kurt@xxxxxxxxxxx        cc:       ietf-ldup@xxxxxxx                                                   
                      g>                       Subject:  Re: LDAPv3 Replication Access Control Design Team Report            
                      Sent by:                                                                                               
                      owner-ietf-ldup@m                                                                                      
                      ail.imc.org                                                                                            
                                                                                                                             
                                                                                                                             
                      09/12/2002 05:14                                                                                       
                      PM                                                                                                     
                                                                                                                             
                                                                                                                             




At 12:32 PM 2002-09-12, Timothy Hahn wrote:
>With respect to your comment:
>
>"Likewise, a standard framework for non-standard ACMs, by itself, is not
>sufficient."
>
>I have to ask:  Why not?

Because, like a standard ACM, any common non-standard ACM would
also depend on identity management and other security services.

>But it seems to me that for "replication", we're clearly talking about
LDAP
>"server"s communicating with one another, with the intent that if a
>"client" lands on any one of those "replicating" servers, that the results
>of their query will be the SAME (modulo the "eventual convergence" issues
>of course).

That's one of may uses.  Another use is replicating information
between enterprises under some agreement .  This agreement can
allow each enterprise to define its own access control policy
(for access to the replicated information in that enterprise).
Other is where one uses two LCUP to replicating information
between an internal-use-only server and a publicly-accessible
server.

For security reasons, it may be inappropriate to replicate
access control information between servers!

>How can such a thing be provided unless the same access
>control semantics are applied (with respect to the information
replicated)?

By divorcing itself from those semantics!

Kurt