[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: I-Draft on signed operations

To: Vesna Hassler <hassler@infosys.tuwien.ac.at>
Subject: Re: I-Draft on signed operations
From: Steve Kille <S.Kille@isode.com>
Date: Sun, 05 Apr 1998 01:10:08 +0100
Cc: ldap@umich.edu, ietf-ldapext@netscape.com
Content-id: <25446.891735007.1@isode.com>
Delivered-to: ldapext-archive@critical-angle.com
In-reply-to: Your message of Mon, 30 Mar 1998 15:30:23 +0200. <3.0.5.32.19980330153023.0079b570@hpsrv01.infosys.tuwien.ac.at>
Resent-date: Sat, 4 Apr 1998 16:16:01 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"CTgeO1.0.IP2._qi9r"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Vesna,

Thanks for this draft.   I believe that adding "native" signed operations to
LDAP is not worth the effort.   I think that if you want to do signed
operations, use of X.500 DAP is the right way to go.  If you REALLY
hate the OSI stack that much, an approach such as the one take in the
US Navy/NSA sldap project, which essentially used LDAP to fram DAP
PDUs is the best option.

Reasons I say this:

1) Currently LDAP and X.500 are pretty much compatible, and users can
mix them as they need.  If you introduce LDAP signed operations, this
is adding a fundamental incompatibility.

2) Because of the complexity of the ASN.1 for signing, you are going
to run into problems with LBER (this has already been pointed out).

3) This is adding a lot of ASN.1 handling.   When you have this much
ASN.1, it is easier to work with X.500 DAP than with LDAP.  


Steve Kille

Prev by Date: New draft RFC
Next by Date: RE: Search over referrals (Re: LAST CALL: draft-ietf-ldapext-ref erral-00.txt)
Index(es):
- Chronological
- Thread