[Kdc-info] policy-as-code
Leif Johansson
leifj at it.su.se
Wed May 14 03:29:13 EDT 2003
I had a discussion with Love Hörnqvist-Åstrand who had an interesting point
concerning policy-requirements in a kdc which makes me dobout the long-term
feasability of modelling policy in the directory. The argument goes
something
like this (Love: Please correct me on the list if I got you wrong, ok?):
Today policy can be described in terms of a fixed set of parameters
(password
expiry days for instance) but this may be inadequate to describe more
complex
but necessary policy. For instance try to express: all */admin must have
more
than 4 iterations in AES or only requests coming from a certain set of
hosts
are allowed to obtain tickets for foo-service/foo.example.com at EXAMPLE.COM.
I would like comments on this -- is it relevant? Do we still model the
policy we
have today and ignore anything else or do we try to encompass these
situations?
/leifj
More information about the kdc-info
mailing list