[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LDAP ISSUE

To: Tom Gindin <tgindin@xxxxxxxxxx>
Subject: Re: LDAP ISSUE
From: David Chadwick <d.w.chadwick@xxxxxxxxxxxxx>
Date: Wed, 31 Jul 2002 18:04:47 +0100
Cc: steve.hanna@xxxxxxxxxxxx, "David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>, ietf-pkix@xxxxxxx
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Organization: University of Salford
References: <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx


Tom Gindin wrote:
> 
>       One of the problems with keywords is the state of the registry.
> First, section 2.3 of RFC 2253 does permit new keywords (the table which
> appears there says "As an example, strings for a few of the attribute types
> frequently seen ...").  Second, the assignment table in IANA (
> http://www.iana.org/assignments/directory-system-names) is further behind
> than RFC 2253, because it's missing DC and UID.
>       I would like to ask a few questions.  First, is there any reason why
> the two attributes added to RFC 2253 after RFC 1779 should not be added to
> IANA's keyword registry? 

In my opinion none. The only reason they have not been is that LDAPBIS
had decided not to use the registry again and to keep the keywords as a
fixed short list (which is why the topic has been reopened again). Since
the LDAPBIS group had decided to close down the registry, I issued the
PKIX ID as an alternative way of publishing the DN strings. But the
registry is a better way, provided we have an agreed mechanism for
deciding who can add new entries to it.

> Second, should not any new registrations be made
> there? 

Yes, once the registry is functional again. (I think IANA may think it
is no longer being used)


> Third, if PKIX is going to suggest new entries for DN attributes,
> shouldn't we be also adding the RFC 2587 attributes, which are PKIX
> specific?  

Yes

>Last, and outside the scope of PKIX, why should not attributes
> defined in X.520, RFC 1274, and PKCS#9 have keywords added to this
> registry, as those in X.520 and RFC 1274 currently can be found at
> ldap.akbkhome.com?

Thanks for pointing me to this useful LDAP resource. I personnally see
no reason why all of the above should not have their friendly strings
usuable in RDNs instead of OIDs.


David

> 
>             Tom Gindin
> 
> David Chadwick <d.w.chadwick@xxxxxxxxxxxxx>@mail.imc.org on 07/23/2002
> 07:09:52 AM
> 
> Sent by:    owner-ietf-pkix@xxxxxxxxxxxx
> 
> To:    steve.hanna@xxxxxxxxxxxx
> cc:    "David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>, ietf-pkix@xxxxxxx
> Subject:    Re: LDAP ISSUE
> 
> Dave
> 
> the current LDAP model is that the server does the mapping, and that the
> client does not need to be bothered with the OIDs. Simple clients will
> not map between keywords and the user interface (the user will see the
> keywords). More sophisticated clients will do some presentation mapping
> e.g. serialNumber into Serial Number.
> 
> David
> 
> Steve Hanna wrote:
> >
> > Yes, this is a presentation issue. OIDs work fine on the wire
> > (in the LDAP protocol). Keywords are only important when
> > users need to understand the DN. I agree with your suggestion
> > completely. Use OIDs on the wire for maximum compatibility
> > and simplicity in implementation. Clients can translate these
> > to and from user-friendly keywords, if they want.
> >
> > -Steve
> >
> > >
> > >Steve,
> > >
> > >That sounds like a presentation issue, and perhaps that's what
> > >you meant to imply by emphasizing "on the wire".
> > >
> > >Would it not be reasonable for new DN attribute keywords to
> > >be registered with IANA, and permit newly developed clients
> > >to translate between keywords (for human consumption)
> > >and OIDs (on the wire)?
> > >
> > >Dave
> > >
> > >
> > >
> > >
> > >Steve Hanna wrote:
> > >>
> > >> Actually, there is a good reason for the position of the LDAP
> > >> group on this issue.
> > >>
> > >> The reason that new keywords for attribute types in X.500 DNs
> > >> cannot be sent on the wire in LDAP protocol messages is that
> > >> old LDAP servers won't know what the new keywords mean. For
> > >> user input and output, new keywords can be added. But you
> > >> can't expect existing LDAP servers to automagically understand
> > >> what a new keyword means when they see it on the wire. OIDs
> > >> are the best way to handle this.
> > >>
> > >> Also, this is not a new position. RFC 1779 (for LDAPv2)
> > >> allowed new keywords and defined an IANA registry. But no
> > >> new keywords were ever defined. I suspect that people
> > >> realized the problems that would ensue. RFC 2253 (for LDAPv3)
> > >> does not allow new keywords. And the revised version of 2253
> > >> (draft-ietf-ldapbis-dn-07.txt) also does not.
> > >>
> > >> Steve
> 
> --
> *****************************************************************
> 
> David W. Chadwick, BSc PhD
> Professor of Information Systems Security
> IS Institute, University of Salford, Salford M5 4WT
> Tel: +44 161 295 5351  Fax +44 01484 532930
> Mobile: +44 77 96 44 7184
> Email: D.W.Chadwick@xxxxxxxxxxxxx
> Home Page:  http://www.salford.ac.uk/its024/chadwick.htm
> Research Projects: http://sec.isi.salford.ac.uk
> Understanding X.500:  http://www.salford.ac.uk/its024/X500.htm
> X.500/LDAP Seminars: http://www.salford.ac.uk/its024/seminars.htm
> Entrust key validation string: MLJ9-DU5T-HV8J
> PGP Key ID is 0xBC238DE5
> 
> *****************************************************************

-- 
*****************************************************************

David W. Chadwick, BSc PhD
Professor of Information Systems Security
IS Institute, University of Salford, Salford M5 4WT
Tel: +44 161 295 5351  Fax +44 01484 532930
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@xxxxxxxxxxxxx
Home Page:  http://www.salford.ac.uk/its024/chadwick.htm
Research Projects: http://sec.isi.salford.ac.uk
Understanding X.500:  http://www.salford.ac.uk/its024/X500.htm
X.500/LDAP Seminars: http://www.salford.ac.uk/its024/seminars.htm
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************

begin:vcard 
n:Chadwick;David
tel;cell:+44 77 96 44 7184
tel;fax:+44 1484 532930
tel;home:+44 1484 352238
tel;work:+44 161 295 5351
x-mozilla-html:FALSE
url:http://www.salford.ac.uk/its024/chadwick.htm
org:University of Salford;IS Institute
version:2.1
email;internet:d.w.chadwick@xxxxxxxxxxxxx
title:Professor of Information Security
adr;quoted-printable:;;The Crescent=0D=0A;Salford;Greater Manchester;M5 4WT;England
note;quoted-printable:Research Projects: http://sec.isi.salford.ac.uk.......................=0D=0A=0D=0AUnderstanding X.500:  http://www.salford.ac.uk/its024/X500.htm .......................=0D=0A=0D=0AX.500/LDAP Seminars: http://www.salford.ac.uk/its024/seminars.htm...................=0D=0A=0D=0AEntrust key validation string: CJ94-LKWD-BSXB ...........=0D=0A=0D=0APGP Key ID is 0xBC238DE5
x-mozilla-cpt:;-4856
fn:David Chadwick
end:vcard

References:
- Re: LDAP ISSUE
  - From: Tom Gindin

Prev by Date: Re: LDAP ISSUE
Next by Date: Re: TSP interoperability testing (RFC 3161)
Previous by thread: Re: LDAP ISSUE
Next by thread: X.509 PMI Research
Index(es):
- Date
- Thread