[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LDAP ISSUE

Sharon

I agree. Servers already know how to map between OIDs and 50 or more
attributes all defined in the X.500 User Schema RFC. But they are only
allowed to map 11 of them in DNs. This is surely silly. All 50+
attribute names should be allowed in DNs

David


> Sharon Boeyen wrote:
> 
> I'd like to see strings for all the attributes PKIX allows for DNs. I
> think the draft currently defines strings for those that are in RFC
> 3280 as "MUST" support but that are not in RFC 2253. It should also
> define strings for the attributes that RFC 3280 says SHOULD be
> supported for DNs that don't appear in RFC 2253 (e.g. title, surname,
> given name, initials, generational qualifier).
> 
> Sharon
> 
> -----Original Message-----
> From: David Chadwick [mailto:d.w.chadwick@xxxxxxxxxxxxx]
> Sent: Thursday, July 18, 2002 2:36 AM
> To: PKIX
> Subject: LDAP ISSUE
> 
> There was one LDAP item missed out of the agenda yesterday due to lack
> 
> of time. This concerns the use of user friendly strings in LDAP DNs.
> It
> is not an issue of how DNs are encoded in certificates (as these are
> ASN.1 DER), but rather how DNs are encoded in the LDAP protocol when
> asking to retrieve or store a certificate. LDAP uses user friendly
> strings to refer to attribute types, but can use OIDs if no user
> friendly strings are known. In the case of DNs, a list of 9 attribute
> type user friendly strings are published in RFC 2253 (e.g. C, O, OU
> etc.). The revision of LDAPv3 is currently stating that no further
> strings can be defined for Internet use (earlier versions allowed for
> other strings to be defined e.g. registered with IANA, but no one had
> ever bothered to register any further strings). The PKIX group has
> specified a larger set of attribute types in its Qualified
> Certificates
> profile RFC 3039. In practical terms this means that the applications
> using LDAP APIs will be able to pass user friendly strings for some of
> 
> the attributes but not for others e.g. CN=David Chadwick +
> SerialNumber=12345 would need to be passed to the LDAP API as CN=David
> 
> Chadwick + 2.5.4.5=12345.
> 
> The PKIX draft <draft-ietf-pkix-dnstrings-00.txt> defines strings for
> PKIX used attribute types so that a consistent call can be made to the
> 
> LDAP API. This might be useful for example where users type in DNs at
> the user interface level, or they are read in from configuration
> files.
> Without this change the application will need
> to have a table of which attributes can be sent to LDAP as strings and
> 
> which will need to be sent as OIDs. (You clearly cannot expect user's
> to
> type in OIDs). Some in the LDAP group are opposed to the PKIX group
> publishing
> this ID, as they dont want to possibly open the floodgates to lots of
> other strings being registered.
> 
> So the question that the PKIX group needs to answer is "Do we care or
> not". Silence on the list implies that PKI application providers dont
> really care, as they are happy to pass either a mixture of OIDs and
> user
> friendly strings, or all OIDs (the latter is not ruled out), to their
> LDAP APIs.
> If you think it is important to be able to pass all user friendly
> strings to
> the LDAP API, then please respond now.
> 
> thankyou
> 
> David
> 
> --
> *****************************************************************
> 
> David W. Chadwick, BSc PhD
> Professor of Information Systems Security
> IS Institute, University of Salford, Salford M5 4WT
> Tel: +44 161 295 5351  Fax +44 01484 532930
> Mobile: +44 77 96 44 7184
> Email: D.W.Chadwick@xxxxxxxxxxxxx
> Home Page:  http://www.salford.ac.uk/its024/chadwick.htm
> Research Projects: http://sec.isi.salford.ac.uk
> Understanding X.500:  http://www.salford.ac.uk/its024/X500.htm
> X.500/LDAP Seminars: http://www.salford.ac.uk/its024/seminars.htm
> Entrust key validation string: MLJ9-DU5T-HV8J
> PGP Key ID is 0xBC238DE5
> 
> *****************************************************************

-- 
*****************************************************************

David W. Chadwick, BSc PhD
Professor of Information Systems Security
IS Institute, University of Salford, Salford M5 4WT
Tel: +44 161 295 5351  Fax +44 01484 532930
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@xxxxxxxxxxxxx
Home Page:  http://www.salford.ac.uk/its024/chadwick.htm
Research Projects: http://sec.isi.salford.ac.uk
Understanding X.500:  http://www.salford.ac.uk/its024/X500.htm
X.500/LDAP Seminars: http://www.salford.ac.uk/its024/seminars.htm
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************
begin:vcard 
n:Chadwick;David
tel;cell:+44 77 96 44 7184
tel;fax:+44 1484 532930
tel;home:+44 1484 352238
tel;work:+44 161 295 5351
x-mozilla-html:FALSE
url:http://www.salford.ac.uk/its024/chadwick.htm
org:University of Salford;IS Institute
version:2.1
email;internet:d.w.chadwick@xxxxxxxxxxxxx
title:Professor of Information Security
adr;quoted-printable:;;The Crescent=0D=0A;Salford;Greater Manchester;M5 4WT;England
note;quoted-printable:Research Projects: http://sec.isi.salford.ac.uk.......................=0D=0A=0D=0AUnderstanding X.500:  http://www.salford.ac.uk/its024/X500.htm .......................=0D=0A=0D=0AX.500/LDAP Seminars: http://www.salford.ac.uk/its024/seminars.htm...................=0D=0A=0D=0AEntrust key validation string: CJ94-LKWD-BSXB ...........=0D=0A=0D=0APGP Key ID is 0xBC238DE5
x-mozilla-cpt:;-4856
fn:David Chadwick
end:vcard