[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Returning single values from multivalued attributes

To: Mark C Smith <mcs@netscape.com>
Subject: Re: Returning single values from multivalued attributes
From: Sean Mullan <sean.mullan@Sun.COM>
Date: Thu, 05 Aug 1999 18:10:30 -0400
Cc: d.w.chadwick@salford.ac.uk, ietf-ldapext@netscape.com
Organization: Sun Microsystems
References: <E11CSYE-0003jx-00@carbon.btinternet.com> <37A9FDA4.44655F58@netscape.com>
Resent-date: Thu, 05 Aug 1999 15:10:46 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"Nb0I2D.A.reB.fvgq3"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Mark C Smith wrote:
> 
> David Chadwick wrote:
> >
> > This topic has been briefly discussed on this list before (30 July),
> > but no conclusions were reached. Briefly the situation is that X.500
> > DAP allows a user to search an entry and only request that matched
> > values are returned from a multi-valued attribute rather than all
> > attributes. LDAP only allows all or no values to be returned.
> >
> > There has also been a request in the PKIX group that LDAP should
> > allow a single user certificate to be returned (the one that matches
> > the users filter), rather than all the users certificates.
> 
> Is it a valid assumption that most entries will contain only a few
> certificates?  

A CA may store a potentially large number of cross certificates 
issued to or from other CAs. When building certification paths, it is 
useful to be able to search for a subset of certificates which satisfy
policy and name constraints, validity and other parameters required
for validating the certification path.

I can imagine an end-entity may also store many certificates, issued
by different CAs with different key usages and policies or certifying different
application specific identities. Searching for another user's S/MIME
certificate would involve constructing a certificate matching rule which
matched on the user's email address in the SubjectAltName component and minimally
an encryption bit in the keyUsage component. A rule such as this, when
combined with a matchedValuesOnly control could prevent the client from
downloading a large number of irrelevant certificates. 

> If so, the value of returning only the one that is
> matched is reduced.  Of course certificates are typically fairly large,
> so reducing the amount of data sent might be useful.  My guess is that
> reducing the number of network round trips is more important than
> reducing the data itself -- and a matchedValuesOnly control won't change
> help there.

I believe the matchedValuesOnly control could be abused if not used
wisely, especially if you have to perform multiple searches to find the
right value. But I think it is very valuable in certain scenarios
such as certificate searching and certification path building.

--Sean

References:
- Returning single values from multivalued attributes
  - From: David Chadwick <d.w.chadwick@salford.ac.uk>
- Re: Returning single values from multivalued attributes
  - From: mcs@netscape.com (Mark C Smith)

Prev by Date: Re: Returning single values from multivalued attributes
Next by Date: Re: More type problems and return values in the C API
Index(es):
- Chronological
- Thread