RE: More problems with OCSP

[Alan Lloyd <Alan.Lloyd@xxxxxxxxxxxxxxxxxxxx>]

Dear all, my last response re - "what are you building this with" let me
explain.

LDAP servers - generally like their namespace to the root - the world is
theirs. This creates a few inteconnectivity problems to say the least
when one tries to group these things as a collective.
 And, if you want to have authenticated users on a multi - LDAP server
system - referrals become useless and you have to replicate everything
to everywhere.. 
So if you build a system with LDAP servers like this.. what you call
things under the root does not matter - Country can be WW or XX, Org can
be under this and a persons entry can be unique and exist as replicated
entries all over. However, an new namespace just means that each server,
just grows and grows as do the replication effort -so a wall will be hit
at some time.

If you want to build a real distributed directory system then a few
options can be taken up if LDAP/DAP accessed X.500 distributed
directories are used. In addition one builds these things knowing that
at some point in time the system will grow with other DSAs/ servers (via
DSP) or as with us subordinate LDAP servers (if OD DXserver is used).
ie these additions can have different namespace (ownership). 

So when dealing with scaleable distributed directory systems the naming
and knowledge  issues become more exact, the operational backbone issues
re multi master, caching, load balancing, alternates and fault
tolerance,etc all require consideration.

In addition the schema needs to be thought through a bit more as do the
requirements for distributed searching and domain based and subtree
based access control regimes.

I see a number of LDAP server naming approaches and schemas get put
together - "easily",  simply because the directory in this case  is
isolated. So no operational and scaling rules apply re additional
namespace and cross DSA searching. However, I have also seen this come
undone for the same reason. ie we need to connect server a with server b
and get distributed searches going and common access controls - and with
system reliability  addressed.

I think its very bad in directory system design to quote country and
organisational level name and schema design - without operational,
system and inteconnectivity issues defined. Because done in isolation -
just means that external operational, commercial and technical issues
wont be addressed.!

There are of course - some whojust want an isolated LDAP directory
server - with replicate everything to everywhere..However, there arnt
too many that want a isolated PABX - are there?

Just thoughts and regards alan






----------
From: Robert Moskowitz
To: Sweigert, David; Alan Lloyd; 'pgut001@cs.auckland.ac.nz';
ambarish@valicert.com; ietf-pkix@imc.org
Sent: 8/27/99 4:06:39 AM
Subject: RE: More problems with OCSP

At 06:28 PM 8/24/1999 -0400, Sweigert, David wrote:

If I remember correctly, GM goes by country and then function.

Chrysler went by function and then country (don't know what DCX will
do).

So do what ever you want.  Either will work for your client, neither
will
work for a global lookup.

>
>As anyone grappling with the problem of defining a directory
information
>tree for a multi-national company.  In other words, how do divisions in
>the UK and US relate in the DIT if both divisions are within one
corporate
>organization; say MARKETING.
>
>Would this be appropriate:
>
>c=US
>o=GlobalCorp
>ou=Marketing
>
>and
>
>c=UK
>o=GlobalCorp
>ou=Marketing
>
>
>Any thoughts on this ?
>
>Dave Sweigert

Robert Moskowitz
ICSA
Security Interest EMail: rgm-sec@htt-consult.com