Re: New text for X.501

[Steven Legg <steven.legg@adacel.com.au>]

David,

David Chadwick wrote:
> Steven
>
> We are talking about the abstract values and not the encoded values.
> X.500 does not mandate any particular ASN.1 encoding rules except in the
> case of the X.509 attributes which must be DER (and even this was later
> realised to be a bug, but it is too late to change it now). DSAs/LDAP
> servers will typically store local representations of abstract values
> and what these are is not stated, its implementation dependent (although
> in some cases such as the X.509 attributes, they will have to store the
> encoded values so as to preserve the signatures). Whether the transfer
> syntax is BER, LDAP or XER should be irrelevant to the abstract value.
> Does this help to clarify what the intention is

Yes, though you should be aware that there are cases where even the
abstract value can't be preserved. The chosen alternative in a DirectoryString
isn't guaranteed to be preserved in a transformation from BER to LDAP-specific
to BER. This affects the Directory String syntax, as well as various syntaxes
that have embedded DirectoryString components. The chosen alternative is
inconsequential for directory purposes, but changing it is, by strict definition,
a change to the abstract value.

Regards,
Steven

> regards
>
> David
>
>
> Steven Legg wrote:
>
> > David,
> >
> > David Chadwick wrote:
> >
> > > Dear LDAPers
> > >
> > > At the recent Geneva meeting of the X.500 group, Defect Report 303 was
> > > discussed. This concerns the fact that a user cannot be guaranteed that
> > > the information presented to LDAP/X.500 server in an update operation is
> > > subsequently returned unaltered in a Search operation. Due to this, in
> > > the PKIX work we are adding text to the IDs specifically to say that for
> > > X.509 certificates and CRLs the data must not be altered by the LDAP
> > > server. The X.500 group is going to go one step further than this and
> > > state that no attributes must be altered by the server and must be
> > > returned exactly as presented,
> >
> > I think this change is ill-advised, as the requirement cannot be enforced
> > in a mixed LDAP/X.500 distributed environment. An attribute value that is
> > entered in an LDAP-specific encoding has to be transformed into BER to be
> > carried in DSP or DISP. There is no guarantee that the exact LDAP-specific
> > encoding of the original attribute value will be reconstructed by the
> > receiving DSA. Preservation of the exact encoding of PKI attributes can
> > only be made to work in the general case because the LDAP encoding and the
> > X.500 encoding is the same - BER. For most syntaxes this is not the case.
> >
> > The XED specifications introduce a third way of encoding directory data (DXER),
> > which only increases the difficulty of preserving the original encoding.
> >
> > If the X.500 standards add this requirement then, as a practical necessity,
> > I will have to disregard it. However, I will continue to preserve the abstract
> > value of attribute values to the extent that it is possible to do so.
> >
> > Regards,
> > Steven
> >
> >
> > > although a server may store a
> > > canonicalised form for efficient matching if it so desires.
> > >
> > > The defect report can only address the 1997 and 2001 versions of X.500,
> > > since the 1993 version that LDAP is based in is no longer supported by
> > > ITU-T/ISO.
> > >
> > > Here is the gist of the proposed text to fix the defect report.
> > >
> > > Stored attribute values must be held as supplied. We propose to add text
> > > to X.501 in clause 8.5 and in 8.8.1, where we will point out that
> > > rationalizations to stored values for the purposes of matching do not
> > > effect the stored value. We will also add text to clause 6.1 of x.520
> > > stating that the rationalizations describe in the matching rules are
> > > ephemeral, for the purpose of the match only, and will not affect the
> > > stored value.
> > >
> > > Regards
> > >
> > > David