[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ldap PICS

To: Christopher Oliva <Chris.Oliva@entrust.com>
Subject: RE: ldap PICS
From: Christopher Oliva <Chris.Oliva@entrust.com>
Date: Mon, 1 Jun 1998 20:24:03 -0400
Cc: "'LDAP EXT'" <ietf-ldapext@netscape.com>
Delivered-to: ldapext-archive@critical-angle.com
Resent-date: Mon, 1 Jun 1998 17:26:37 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"KER1O2.0.aF1.xQqSr"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

The draft profiles are a good start however I would like to make a few
comments.

The profiles serve a purpose which is different from a PICS document. A
clear statement of exactly what is implemented allows vendors to describe
functionality beyond the requirements of the profiles. They also avoid any
ambiguity or choices presented in the profile descriptions. In my view, the
two types of documents are complimentary.

The profiles at the Innosoft site should be standardized so that they are
more universally accepted. A series of standard ldap profiles would make it
easier for vendors to target specific markets. This is aligned with the
notion that only subsets of functionality are required for specific types of
ldap servers ( the original concept of ldap was to keep the functionality
simple since only a subset of the DAP functionality was required for certain
types of applications.) But doesn't this introduce the possibility of a
proliferation of non-compatible products? Wouldn't this make it even more
difficult to deploy scaleable systems? Perhaps the types of application
profiles should be limited to address the scaleability of the target system.
For example 1) read-only, 2) stand-alone read-write and 3) components of
distributed systems (i.e. complimentary to X.500 systems). With that in mind
I would also like to see a profile describing how an ldap server must
provide access to an X.500 directory including a mapping of protocol
elements, authentication mechanisms, mappings of attribute descriptions to
contexts etc.

One observation concerning the profile for the "Certificate Application".
There is a difference between required functionality and pure protocol
definitions. The PKIX profile effectively defines protocol requirements for
accessing data. If functionality is to be addressed in the Innosoft profile,
many other issues must be discussed, the majority of which deal with
scaleability of the directory. The basic understanding of this application
is that the response performance and availability of the data is critical
and requires adequate protection and redundancy. This requires mature
administrative models and access controls. Also, the processing of
certification paths requires synchronized knowledge of a distributed DIT.

Chris.

Next by Date: Re: X.509 SASL Mechanism
Index(es):
- Chronological
- Thread