[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LDAP ISSUE

To: <ietf-pkix@xxxxxxx>
Subject: Re: LDAP ISSUE
From: "Vesa Suontama" <vsuontam@xxxxxxx>
Date: Thu, 18 Jul 2002 14:05:35 +0300
Importance: Normal
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Good point!

I think we SHOLD assign each attribute a well defined friendly name.

If we do not have well defined names for OIDs, some directory vendors will
(and have already) come up with the friendly names of their own. E.g. is
email address in DN "E" or "EMAIL"?

I would love to see a simpe rfc (rfc2253bis?) with more oids associated with
friendly names.

Vesa

"David Chadwick" <d.w.chadwick@xxxxxxxxxxxxx> wrote in message
news:<3D3661E4.73E6DA8A@xxxxxxxxxxxxx>...
>
> This is a multi-part message in MIME format.
> --------------EA72FAF40C88E4BE16EA66C8
> Content-Type: text/plain; charset=us-ascii
> Content-Transfer-Encoding: 7bit
>
> There was one LDAP item missed out of the agenda yesterday due to lack
> of time. This concerns the use of user friendly strings in LDAP DNs. It
> is not an issue of how DNs are encoded in certificates (as these are
> ASN.1 DER), but rather how DNs are encoded in the LDAP protocol when
> asking to retrieve or store a certificate. LDAP uses user friendly
> strings to refer to attribute types, but can use OIDs if no user
> friendly strings are known. In the case of DNs, a list of 9 attribute
> type user friendly strings are published in RFC 2253 (e.g. C, O, OU
> etc.). The revision of LDAPv3 is currently stating that no further
> strings can be defined for Internet use (earlier versions allowed for
> other strings to be defined e.g. registered with IANA, but no one had
> ever bothered to register any further strings). The PKIX group has
> specified a larger set of attribute types in its Qualified Certificates
> profile RFC 3039. In practical terms this means that the applications
> using LDAP APIs will be able to pass user friendly strings for some of
> the attributes but not for others e.g. CN=David Chadwick +
> SerialNumber=12345 would need to be passed to the LDAP API as CN=David
> Chadwick + 2.5.4.5=12345.
>
> The PKIX draft <draft-ietf-pkix-dnstrings-00.txt> defines strings for
> PKIX used attribute types so that a consistent call can be made to the
> LDAP API. This might be useful for example where users type in DNs at
> the user interface level, or they are read in from configuration files.
> Without this change the application will need
> to have a table of which attributes can be sent to LDAP as strings and
> which will need to be sent as OIDs. (You clearly cannot expect user's to
> type in OIDs). Some in the LDAP group are opposed to the PKIX group
> publishing
> this ID, as they dont want to possibly open the floodgates to lots of
> other strings being registered.
>
> So the question that the PKIX group needs to answer is "Do we care or
> not". Silence on the list implies that PKI application providers dont
> really care, as they are happy to pass either a mixture of OIDs and user
> friendly strings, or all OIDs (the latter is not ruled out), to their
> LDAP APIs.
> If you think it is important to be able to pass all user friendly
> strings to
> the LDAP API, then please respond now.
>
> thankyou
>
> David
>
> --
> *****************************************************************
>
> David W. Chadwick, BSc PhD
> Professor of Information Systems Security
> IS Institute, University of Salford, Salford M5 4WT
> Tel: +44 161 295 5351  Fax +44 01484 532930
> Mobile: +44 77 96 44 7184
> Email: D.W.Chadwick@xxxxxxxxxxxxx
> Home Page:  http://www.salford.ac.uk/its024/chadwick.htm
> Research Projects: http://sec.isi.salford.ac.uk
> Understanding X.500:  http://www.salford.ac.uk/its024/X500.htm
> X.500/LDAP Seminars: http://www.salford.ac.uk/its024/seminars.htm
> Entrust key validation string: MLJ9-DU5T-HV8J
> PGP Key ID is 0xBC238DE5
>
> *****************************************************************
> --------------EA72FAF40C88E4BE16EA66C8
> Content-Type: text/x-vcard; charset=us-ascii;
>  name="d.w.chadwick.vcf"
> Content-Transfer-Encoding: 7bit
> Content-Description: Card for David Chadwick
> Content-Disposition: attachment;
>  filename="d.w.chadwick.vcf"
>
> begin:vcard
> n:Chadwick;David
> tel;cell:+44 77 96 44 7184
> tel;fax:+44 1484 532930
> tel;home:+44 1484 352238
> tel;work:+44 161 295 5351
> x-mozilla-html:FALSE
> url:http://www.salford.ac.uk/its024/chadwick.htm
> org:University of Salford;IS Institute
> version:2.1
> email;internet:d.w.chadwick@xxxxxxxxxxxxx
> title:Professor of Information Security
> adr;quoted-printable:;;The Crescent=0D=0A;Salford;Greater Manchester;M5
4WT;England
> note;quoted-printable:Research Projects:
http://sec.isi.salford.ac.uk.......................=0D=0A=0D=0AUnderstanding
X.500:  http://www.salford.ac.uk/its024/X500.htm
.......................=0D=0A=0D=0AX.500/LDAP Seminars:
http://www.salford.ac.uk/its024/seminars.htm...................=0D=0A=0D=0AE
ntrust key validation string: CJ94-LKWD-BSXB ...........=0D=0A=0D=0APGP Key
ID is 0xBC238DE5
> x-mozilla-cpt:;-4856
> fn:David Chadwick
> end:vcard
>
> --------------EA72FAF40C88E4BE16EA66C8--
>

Prev by Date: X.509 PMI Research
Next by Date: Re: LDAP ISSUE
Previous by thread: LDAP ISSUE
Next by thread: Re: LDAP ISSUE
Index(es):
- Date
- Thread