[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: I-Draft on signed operations

To: Steve Kille <S.Kille@isode.com>, Vesna Hassler <hassler@infosys.tuwien.ac.at>
Subject: RE: I-Draft on signed operations
From: Bruce Greenblatt <Bgreenblatt@rsa.com>
Date: Mon, 6 Apr 1998 18:31:05 -0700
Cc: ldap@umich.edu, ietf-ldapext@netscape.com
Delivered-to: ldapext-archive@critical-angle.com
Resent-date: Mon, 6 Apr 1998 18:31:41 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"ue5Fr3.0.2S3.y7OAr"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Steve,

I think that I disagree somewhat.  While I don't agree 100% with the
approach indicated in the "Hassler" draft, I think that there is a need
for LDAP "signed operations".  I think that there are (at least) two
possible requirements that can be imagined for signed LDAP operations
(one of which is easily dismissed).  One reason that one might want a
signed LDAP operation is to provide a data integrity environment for
LDAP.  I believe that this is an invalid requirement, since TLS already
provides a client to server data integrity solution for LDAP.  The
second requirement (which I believe to be real) that exists for LDAP
signed operations is the creation of a journal or audit trail of the
changes that have been made to the objects in the directory.  Such a
solution is not yet provided explicitly by LDAP or X.500.  This
requirement can easily be met in LDAP by the creation of a simple
control which can be attached to operations which modify the directory
entries, and additionally, the creation of schema information that can
subsequently be read by directory clients.  

I'd prefer to use an existing Internet information signing protocol for
this purpose (such as S/MIME).  Thus, anyone that can read S/MIME (or
whatever) could also read the directory audit trail information (via
LDAP or DAP). This theoretical control is another issue, as the control
would be defined in LDAP-ese, but if I understand some of the things
that X.500 guys say about the sorting and paged results controls, it is
no big deal to translate an LDAP control into something meaningful for
DAP.  So, given all of that, I haven't yet formally submitted an I-D on
this subject (though I have written one (if you're interested let me
know), but instead I'm trying to collaborate on one with someone else
that has been independently working on this idea.

Bruce

> -----Original Message-----
> From:	Steve Kille [SMTP:S.Kille@isode.com]
> Sent:	Saturday, April 04, 1998 4:10 PM
> To:	Vesna Hassler
> Cc:	ldap@umich.edu; ietf-ldapext@netscape.com
> Subject:	Re: I-Draft on signed operations
> 
> Vesna,
> 
> Thanks for this draft.   I believe that adding "native" signed
> operations to
> LDAP is not worth the effort.   I think that if you want to do signed
> operations, use of X.500 DAP is the right way to go.  If you REALLY
> hate the OSI stack that much, an approach such as the one take in the
> US Navy/NSA sldap project, which essentially used LDAP to fram DAP
> PDUs is the best option.
> 
> Reasons I say this:
> 
> 1) Currently LDAP and X.500 are pretty much compatible, and users can
> mix them as they need.  If you introduce LDAP signed operations, this
> is adding a fundamental incompatibility.
> 
> 2) Because of the complexity of the ASN.1 for signing, you are going
> to run into problems with LBER (this has already been pointed out).
> 
> 3) This is adding a lot of ASN.1 handling.   When you have this much
> ASN.1, it is easier to work with X.500 DAP than with LDAP.  
> 
> 
> Steve Kille

Prev by Date: Re: Search over referrals (Re: LAST CALL: draft-ietf-ldapext-ref erral-00.txt)
Next by Date: RE: LDAP ACL model document
Index(es):
- Chronological
- Thread