[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: DN revision

To: <ietf-ldapbis@OpenLDAP.org>
Subject: Re: DN revision
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Wed, 18 Apr 2001 11:45:54 -0700
In-reply-to: <5.1.0.14.0.20010416235912.00a9d140@127.0.0.1>
References: <sadb91c1.042@prv-mail20.provo.novell.com>

At 12:48 AM 4/17/01, Kurt D. Zeilenga wrote:
>In addition, security considerations related to the use of other
>names and/or alternative DN string representations should be
>detailed.

I offer this additional security considerations regarding
the use of other names.

  5.3. Use of Other Names

  Attribute type names are not unique.  A string representation  
  generated with names other than those in the Section 2.3 table is
  ambiguous.  That is, two applications may recognize the string as
  representing two different DNs possibly associated with two different
  entries.  This may lead to a wide range of unexpected behaviors
  which can have both direct and indirect impacts upon security.

  For example, a distinguished name consisting of one RDN with one
  AVA, in which the type known locally as FOO and the value is of
  the octetString "BAR" could be represented in LDAP as the string
  FOO=BAR.   As the name FOO does not uniquely identify an attribute
  type, the DN FOO=BAR is ambiguous.  That is, FOO could be recognized
  as the attribute type 1.1.1 by one application and 1.2.3.4 in
  another and not recognized by another.  This may lead to operations
  not behaving as intended.

  Applications desiring to generate an unambiguous string representation
  of a DN SHOULD generate string representation per section 2, not
  use names other than those in the Section 2.3 table, and while
  taking 5.2 into consideration.

References:
- Re: DN revision
  - From: "Jim Sermersheim" <jimse@novell.com>
- Re: DN revision
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: DN revision
Next by Date: Re: DN revision
Index(es):
- Chronological
- Thread