[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldapbis WG Last Call on ldapbis-syntaxes, ldapbis-strprep

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: ldapbis WG Last Call on ldapbis-syntaxes, ldapbis-strprep
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Thu, 26 Jun 2003 08:54:04 +0200
Cc: ietf-ldapbis@OpenLDAP.org
In-reply-to: <5.2.0.9.0.20030625150537.01ccccb0@127.0.0.1>
References: <5.2.0.9.0.20030625131618.01c6bae8@127.0.0.1> <5.2.0.9.0.20030625073051.01bc7ab8@127.0.0.1> <HBF.20030625azto@bombur.uio.no> <Pine.LNX.4.44.0306230925270.16015-100000@localhost.localdomain> <Pine.LNX.4.44.0306110126150.1913-100000@localhost.localdomain> <HBF.20030624o4jh@bombur.uio.no> <5.2.0.9.0.20030624130612.01bdd0a8@127.0.0.1> <HBF.20030625yg0g@bombur.uio.no> <HBF.20030625psol@bombur.uio.no> <HBF.20030625yqhb@bombur.uio.no> <5.2.0.9.0.20030625150537.01ccccb0@127.0.0.1>

>> If I understand you correctly, the part of [Models] 2.3 which I
>> quoted should be changed to something like
>>
>>  If the attribute type has an equality matching rule, any two values
>>  of the attribute must compare as false according to that matching
>>  rule.
>
> Yes.

In view of this, I'm beginning to dislike that Prohibit step.
If I have a purely local LDAP directory, why shouldn't I be allowed to
give an attribute two values where one uses a Private Use code point?
Or to search for - and find - the one with a Private Use code point by
searching for that exact string, at least?
The results of choosing to do this would of course be my responsibility.

I think it would be better if servers SHOULD implement the Prohibit step
but MAY allow it to be turned off, and recommend that managers keep it
turned on for globally accessible directories.

Then make the problem with certificate chain validation a problem for
certificates, not for string matching in general:  Either prohibit the
characters listed in the Prohibit step from existing in certificates, or
say that the Prohibit step MUST be performed when checking components of
certificates.  In either case, these characters won't match anything.

-- 
Hallvard

Follow-Ups:
- Re: ldapbis WG Last Call on ldapbis-syntaxes, ldapbis-strprep
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- Re: ldapbis WG Last Call on ldapbis-syntaxes, ldapbis-strprep
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: ldapbis WG Last Call on ldapbis-syntaxes, ldapbis-strprep
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: ldapbis WG Last Call on ldapbis-syntaxes, ldapbis-strprep
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: ldapbis WG Last Call on ldapbis-syntaxes, ldapbis-strprep
  - From: "RL 'Bob' Morgan" <rlmorgan@washington.edu>
- ldapbis WG Last Call on ldapbis-syntaxes, ldapbis-strprep
  - From: "RL 'Bob' Morgan" <rlmorgan@washington.edu>
- Re: ldapbis WG Last Call on ldapbis-syntaxes, ldapbis-strprep
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: ldapbis WG Last Call on ldapbis-syntaxes, ldapbis-strprep
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: ldapbis WG Last Call on ldapbis-syntaxes, ldapbis-strprep
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: ldapbis WG Last Call on ldapbis-syntaxes, ldapbis-strprep
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: ldapbis WG Last Call on ldapbis-syntaxes, ldapbis-strprep
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: ldapbis WG Last Call on ldapbis-syntaxes, ldapbis-strprep
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: ldapbis WG Last Call on ldapbis-syntaxes, ldapbis-strprep
Next by Date: Re: Specifying non-tcp transports referrals
Index(es):
- Chronological
- Thread