On Mar 31, 2008, at 10:16 PM, Andrew Sciberras wrote:
Hi Kurt, Just some comments that are specific to the administrative model.3. Password Policy Administrative ModelAdministrative Area ScopeIn [BEHERA] it was stated that a password policy could be defined for a specific user by creating a password policy subentry directly under that entry. To me, this suggests that password policy administrative points actlike specific administrative areas. Is this behavior intended to remain?
Administrative Role In accordance with X.501 and RFC3672, do you intend to define an Administrative Role attribute value to identify that a particular administrative area is concerned with password policy administration?
Multiple PoliciesI assume that the draft allows multiple passwdPolicy subentries to exist below a given administrative point... This should be explicitly clarified inthe I-D.Multiple subentries could be used to allow policies to apply to different attributes, or to allow different policies to apply to a given passwordattribute conditionally, based on the objectClass of an entry (~ using subtreeSpecification's).However, policies may also be created that inadvertently (or otherwise)conflict with each other. Clarifications on this should probably be made to avoid confusion.
My intent is for each entry to be governed by at most one password policy,
the policy governing entries within a specific administrative area. -- Kurt ----- www.x500standard.com: The central source for information on the X.500 Directory Standard.