Re: RE*2: Revised list of restrictions and privelege attributes
rsalz@osf.org Mon, 22 November 1993 15:03 UTC
Received: from ietf.nri.reston.va.us by IETF.CNRI.Reston.VA.US id aa01564; 22 Nov 93 10:03 EST
Received: from CNRI.RESTON.VA.US by IETF.CNRI.Reston.VA.US id aa01560; 22 Nov 93 10:03 EST
Received: from venera.isi.edu by CNRI.Reston.VA.US id aa02978; 22 Nov 93 10:03 EST
Received: from postman.osf.org by venera.isi.edu (5.65c/5.61+local-14) id <AA28494>; Mon, 22 Nov 1993 06:37:49 -0800
Received: from sulphur.osf.org by postman.osf.org (5.64+/OSF 1.0) id AA06726; Mon, 22 Nov 93 09:37:46 -0500
Received: by sulphur.osf.org (1.37.109.4/4.7) id AA09648; Mon, 22 Nov 93 09:37:53 -0500
Date: Mon, 22 Nov 1993 09:37:53 -0500
Sender: ietf-archive-request@IETF.CNRI.Reston.VA.US
From: rsalz@osf.org
Message-Id: <9311221437.AA09648@sulphur.osf.org>
To: P.V.McMahon@rea0803.wins.icl.co.uk, ietf-aac@isi.edu
Subject: Re: RE*2: Revised list of restrictions and privelege attributes
> I guess Cliff will reply too. Here is my 0.02 on Rich's remarks: He has not. I continue to be very disappointed in the way the IETF security WG's operate in that it is impossible for someone to contribute without attending the meetings in person. This is a shame. I cannot respond in detail to Pier's points because I am still confused. As I said in my first message: > > I am having a bit of trouble understand this whole first paragraph. > > Either some ASCII art, or a concrete example showing a user doing > > something like FTP speaking to an ftp server on another machine? > The definition of "rights" you suggest here is (I believe) needlessly > narrower that the conventional one, and seems to seek to give new > semantics to a normal English term. For most systems including those > outside the IT system world it is normal to consider as logically > separate the notions of (1) possessing rights, and (2) seeking authorisation > for a specific operation. It seems inappropriate to conflate the two > concepts. I disagree that my use of the "rights" is constricted or unusual. My intent is to put things into the simplest possible terms: a client presents a list of "things" which say "I am John. Bob also says I'm his cousin." He presents this list (which is his identity) with his request "I want to read the 'foo' database" to the server. The server decides whether or not John can read 'foo' and takes the appropriate action. As I read the document, the client says "I am John. Bob says I can read 'foo'. I want to read 'foo'". Is that right? If not, what is a right? My model says a client merely has an identity, and the server decides if the client has the correct rights to perform the requested operation. > Possession of a proxy (suggested general term which includes e.g.: DCE > privilege attribute cert) permits the assignee to assert privileges granted > by the assigner subject to specified restrictions. I think proxy is a bad term. When I send a print /tmp/foo request to the printer, then the printer system will be acting as my proxy when, later, it asks the filesystem for the contents of that file. > My understanding about DCE1.1 (without posessing the functional spec > which you have) is that the legacy system support extension (RFC6) uses a > UUID to identity each extended registry attribute type. True? I'm not sure what you mean by "extended registry attribute type." An extended attribute, e.g., MVS login information, is identified by a uuid. The type and value of that data is separate from the attribute; the uuid is basically the name so that attributes are really name/type/value triplets. > It was suggested during the 01NOV93 AAC meeting that the LOCAL_UID be > qualified in an analagous way with the identity of the applicable system > so you know whether it applies to UNIX, MVS, or indeed DOS (not). So I get something like <tag-indicating-unix-uid, 93> <tag-indicating-mvs-acct ied3321:cteowd> <tag-indicating-multics-acct rsalz.tech.guest> ? Does it really help to know "1440" without, say, qualifying it by sulphur.osf.org? /r$