[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: New text for X.501

To: Steven Legg <steven.legg@adacel.com.au>
Subject: Re: New text for X.501
From: David Chadwick <d.w.chadwick@salford.ac.uk>
Date: Mon, 27 Oct 2003 11:37:40 +0000
Cc: LDAP BIS <ietf-ldapbis@OpenLDAP.org>, OSIdirectory@az05.bull.com
Organization: University of Salford
References: <3F9BBB94.BBE78984@salford.ac.uk> <3F9C5E08.1040104@adacel.com.au>

Steven

We are talking about the abstract values and not the encoded values.
X.500 does not mandate any particular ASN.1 encoding rules except in the
case of the X.509 attributes which must be DER (and even this was later
realised to be a bug, but it is too late to change it now). DSAs/LDAP
servers will typically store local representations of abstract values
and what these are is not stated, its implementation dependent (although
in some cases such as the X.509 attributes, they will have to store the
encoded values so as to preserve the signatures). Whether the transfer
syntax is BER, LDAP or XER should be irrelevant to the abstract value.
Does this help to clarify what the intention is

regards

David


Steven Legg wrote:
> 
> David,
> 
> David Chadwick wrote:
> > Dear LDAPers
> >
> > At the recent Geneva meeting of the X.500 group, Defect Report 303 was
> > discussed. This concerns the fact that a user cannot be guaranteed that
> > the information presented to LDAP/X.500 server in an update operation is
> > subsequently returned unaltered in a Search operation. Due to this, in
> > the PKIX work we are adding text to the IDs specifically to say that for
> > X.509 certificates and CRLs the data must not be altered by the LDAP
> > server. The X.500 group is going to go one step further than this and
> > state that no attributes must be altered by the server and must be
> > returned exactly as presented,
> 
> I think this change is ill-advised, as the requirement cannot be enforced
> in a mixed LDAP/X.500 distributed environment. An attribute value that is
> entered in an LDAP-specific encoding has to be transformed into BER to be
> carried in DSP or DISP. There is no guarantee that the exact LDAP-specific
> encoding of the original attribute value will be reconstructed by the
> receiving DSA. Preservation of the exact encoding of PKI attributes can
> only be made to work in the general case because the LDAP encoding and the
> X.500 encoding is the same - BER. For most syntaxes this is not the case.
> 
> The XED specifications introduce a third way of encoding directory data (DXER),
> which only increases the difficulty of preserving the original encoding.
> 
> If the X.500 standards add this requirement then, as a practical necessity,
> I will have to disregard it. However, I will continue to preserve the abstract
> value of attribute values to the extent that it is possible to do so.
> 
> Regards,
> Steven
> 
> > although a server may store a
> > canonicalised form for efficient matching if it so desires.
> >
> > The defect report can only address the 1997 and 2001 versions of X.500,
> > since the 1993 version that LDAP is based in is no longer supported by
> > ITU-T/ISO.
> >
> > Here is the gist of the proposed text to fix the defect report.
> >
> > Stored attribute values must be held as supplied. We propose to add text
> > to X.501 in clause 8.5 and in 8.8.1, where we will point out that
> > rationalizations to stored values for the purposes of matching do not
> > effect the stored value. We will also add text to clause 6.1 of x.520
> > stating that the rationalizations describe in the matching rules are
> > ephemeral, for the purpose of the match only, and will not affect the
> > stored value.
> >
> > Regards
> >
> > David
> >

-- 

*****************************************************************

David W. Chadwick, BSc PhD
Professor of Information Systems Security
IS Institute, University of Salford, Salford M5 4WT
Tel: +44 161 295 5351  Fax +44 01484 532930
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@salford.ac.uk
Home Page:  http://www.salford.ac.uk/its024/chadwick.htm
Research Web site: http://sec.isi.salford.ac.uk
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************

begin:vcard 
n:Chadwick;David
tel;cell:+44 77 96 44 7184
tel;fax:+44 1484 532930
tel;home:+44 1484 352238
tel;work:+44 161 295 5351
x-mozilla-html:FALSE
url:http://sec.isi.salford.ac.uk
org:University of Salford;IS Institute
version:2.1
email;internet:d.w.chadwick@salford.ac.uk
title:Professor of Information Security
adr;quoted-printable:;;The Crescent=0D=0A;Salford;Greater Manchester;M5 4WT;England
note;quoted-printable:Research Projects: http://sec.isi.salford.ac.uk=0D=0A=0D=0AEntrust key validation string: CJ94-LKWD-BSXB ...........=0D=0A=0D=0APGP Key ID is 0xBC238DE5
x-mozilla-cpt:;-18752
fn:David Chadwick
end:vcard

Follow-Ups:
- Re: New text for X.501
  - From: Steven Legg <steven.legg@adacel.com.au>

References:
- New text for X.501
  - From: David Chadwick <d.w.chadwick@salford.ac.uk>
- Re: New text for X.501
  - From: Steven Legg <steven.legg@adacel.com.au>

Prev by Date: Re: LDAP based on X.500 '93 (was: New text for X.501)
Next by Date: Re: LDAP based on X.500 '93
Index(es):
- Chronological
- Thread