[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: LDAP ISSUE
One of the problems with keywords is the state of the registry.
First, section 2.3 of RFC 2253 does permit new keywords (the table which
appears there says "As an example, strings for a few of the attribute types
frequently seen ..."). Second, the assignment table in IANA (
http://www.iana.org/assignments/directory-system-names) is further behind
than RFC 2253, because it's missing DC and UID.
I would like to ask a few questions. First, is there any reason why
the two attributes added to RFC 2253 after RFC 1779 should not be added to
IANA's keyword registry? Second, should not any new registrations be made
there? Third, if PKIX is going to suggest new entries for DN attributes,
shouldn't we be also adding the RFC 2587 attributes, which are PKIX
specific? Last, and outside the scope of PKIX, why should not attributes
defined in X.520, RFC 1274, and PKCS#9 have keywords added to this
registry, as those in X.520 and RFC 1274 currently can be found at
ldap.akbkhome.com?
Tom Gindin
David Chadwick <d.w.chadwick@xxxxxxxxxxxxx>@mail.imc.org on 07/23/2002
07:09:52 AM
Sent by: owner-ietf-pkix@xxxxxxxxxxxx
To: steve.hanna@xxxxxxxxxxxx
cc: "David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>, ietf-pkix@xxxxxxx
Subject: Re: LDAP ISSUE
Dave
the current LDAP model is that the server does the mapping, and that the
client does not need to be bothered with the OIDs. Simple clients will
not map between keywords and the user interface (the user will see the
keywords). More sophisticated clients will do some presentation mapping
e.g. serialNumber into Serial Number.
David
Steve Hanna wrote:
>
> Yes, this is a presentation issue. OIDs work fine on the wire
> (in the LDAP protocol). Keywords are only important when
> users need to understand the DN. I agree with your suggestion
> completely. Use OIDs on the wire for maximum compatibility
> and simplicity in implementation. Clients can translate these
> to and from user-friendly keywords, if they want.
>
> -Steve
>
> >
> >Steve,
> >
> >That sounds like a presentation issue, and perhaps that's what
> >you meant to imply by emphasizing "on the wire".
> >
> >Would it not be reasonable for new DN attribute keywords to
> >be registered with IANA, and permit newly developed clients
> >to translate between keywords (for human consumption)
> >and OIDs (on the wire)?
> >
> >Dave
> >
> >
> >
> >
> >Steve Hanna wrote:
> >>
> >> Actually, there is a good reason for the position of the LDAP
> >> group on this issue.
> >>
> >> The reason that new keywords for attribute types in X.500 DNs
> >> cannot be sent on the wire in LDAP protocol messages is that
> >> old LDAP servers won't know what the new keywords mean. For
> >> user input and output, new keywords can be added. But you
> >> can't expect existing LDAP servers to automagically understand
> >> what a new keyword means when they see it on the wire. OIDs
> >> are the best way to handle this.
> >>
> >> Also, this is not a new position. RFC 1779 (for LDAPv2)
> >> allowed new keywords and defined an IANA registry. But no
> >> new keywords were ever defined. I suspect that people
> >> realized the problems that would ensue. RFC 2253 (for LDAPv3)
> >> does not allow new keywords. And the revised version of 2253
> >> (draft-ietf-ldapbis-dn-07.txt) also does not.
> >>
> >> Steve
--
*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
IS Institute, University of Salford, Salford M5 4WT
Tel: +44 161 295 5351 Fax +44 01484 532930
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@xxxxxxxxxxxxx
Home Page: http://www.salford.ac.uk/its024/chadwick.htm
Research Projects: http://sec.isi.salford.ac.uk
Understanding X.500: http://www.salford.ac.uk/its024/X500.htm
X.500/LDAP Seminars: http://www.salford.ac.uk/its024/seminars.htm
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5
*****************************************************************