IMHW400@INDYVAX.BITNET (06/24/88)
[EVERHART%ARISIA.decnet@GE-CRD.ARPA suggests a scheme for propagating security identifiers across DECnet.] Two thoughts on your interesting proposal: o Maybe the new Distributed Name Service can help out somehow? It could make the identifiers' names and values known throughout the network, which is a start. o A less flexible approach can be had without so much network traffic. A set of identifiers {NOT_IN_AREA, NOT_SAME_IDP, NOT_TRUSTED} can be implemented using only information available to the service process' node, by examining the requestor's address. Only NOT_TRUSTED requires more overhead than a longword or string comparison. While this does not allow the control of individual users' access, it *does* allow you to lock your files against the most likely sources of annoyance: other network areas (divisions?), other networks (organizations?), and any node known to have many holders of TWIT. If you don't mind some more table-lookups, you could have tables of trusted areas and IDPs as well. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Mark H. Wood IMHW400@INDYVAX.BITNET (317)274-0749 III U U PPPP U U III Indiana University - Purdue University at Indianapolis I U U P P U U I 799 West Michigan Street, ET 1023 I U U PPPP U U I Indianapolis, IN 46202 USA I U U P U U I [@disclaimer@] III UUU P UUU III