Re: DN-alt issues

[Scott Seligman <scott.seligman@sun.com>]

"Kurt D. Zeilenga" <Kurt@OpenLDAP.org> writes:
>
> At 10:24 AM 2002-08-21, Mark C Smith wrote:
>
>> That is, some implementations such as the Netscape Directory Server
>> will generate (send) DN strings that use attribute type names that
>> are not listed in the table...
>
> draft-ietf-ldapbis-dn doesn't prohibit this behavior.

The draft requires some editing to clarify this point.  In the section
on "Converting DistinguishedName from ASN.1 to a String" there is no
mention that this behavior is allowed.  This is where that information
needs to be presented.  In the following section "Parsing a String
back to a Distinguished Name" it does say "implementations SHOULD only
generate DN strings in accordance with Section 2", but this is
logically the wrong place to give this guidance.  Also it doesn't
precisely specify the manner in which implementations are free to
deviate from the recommendation of Section 2.  Not that it's
complicated or even non-obvious, but as this is a spec, Section 2 must
precisely specify what's allowed in addition to what's recommended.

Second, Netscape is not the only server to do this.  Adding a
"SHOULD NOT" restriction against a common (majority?) practice seems
like it may be taking things too far for a BIS update.  Legalistically
you may be covered, but this is a matter of degree.  What percentage 
of servers deployed today would you estimate violate the new policy,
as Mark describes for Netscape?

Note that I'm not questioning the existence of interoperability issues
relating to attribute type string names, and I do support the draft
giving clear guidance on this.


Scott Seligman
Java Security, Networking, and Naming
Sun Microsystems