[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Returning single values from multivalued attributes
I agree with below. Certainly the component matching rules for complex
attributes such as certs, CRLs, mail lists, etc is being implemented by
some in their DSAs. Therefore LDAP should apply this capability. It is
worthy to note that LDAP serves should provide a generic component
matching capability for complex attributes.
For client access though, its a question of the application concerned on
what (eg.) cert/crl it uses and how it wants to find it. Generally the
first client app off the rank wanted by most will be a CA management
application - which is requred to find certs based on validity, etc. In
addition OCSP servers that are directory capable could use component
matching for finding CRL entries (if the directory is trusted).
regards alan
> -----Original Message-----
> From: Ella Paton Bassett
> Sent: Saturday, August 07, 1999 2:29 AM
> To: Sean Mullan
> Cc: d.w.chadwick@salford.ac.uk; ietf-ldapext@netscape.com
> Subject: Re: Returning single values from multivalued attributes
>
> David:
>
> We would like to see these drafts written. Thanks for pointing out
> that
> we need the matched values only feature in addition to the certificate
> matching rule to select a particular value of a certificate using
> LDAP.
>
> We are also curious to know if client vendors intend to implement
> attribute types other than userCertificate to retrieve certificates
> from
> the directory using LDAP v3.
>
> Ella
>
> Sean Mullan wrote:
> >
> > Hi David,
> >
> > I'd like to work on an LDAP draft with you as I believe this is very
> > important. (Actually, I was planning to write a draft but I was a
> > bit discouraged by the lack of response to my message on 7/30).
> Please
> > let me know how you want to coordinate this.
> >
> > I think that 2 drafts are probably needed, one describing a control
> for the
> > matchedValuesOnly feature and another for describing the X.509
> certificate
> > and CRL matching rules as new LDAP matching rules.
> >
> > Thanks,
> > --Sean
> >
> > David Chadwick wrote:
> > >
> > > This topic has been briefly discussed on this list before (30
> July),
> > > but no conclusions were reached. Briefly the situation is that
> X.500
> > > DAP allows a user to search an entry and only request that matched
> > > values are returned from a multi-valued attribute rather than all
> > > attributes. LDAP only allows all or no values to be returned.
> > >
> > > There has also been a request in the PKIX group that LDAP should
> > > allow a single user certificate to be returned (the one that
> matches
> > > the users filter), rather than all the users certificates.
> > >
> > > I believe that once clients start to retreive schema definitions
> they
> > > will also want matched values only to be returned.
> > >
> > > There are a couple of approaches this group can take
> > >
> > > i) say that this is not a significant problem and ignore it. Let
> the
> > > client sort out the value it wants
> > >
> > > ii) say that it is a significant problem and try to fix it via a
> new
> > > matchedValuesOnly control ID. (I can volunteer to write the ID if
> > > people are interested in it)
> > >
> > > What do people think about this?
> > > �
> > > David
> > >
> > > ***************************************************
> > >
> > > David Chadwick
> > > IS Institute, University of Salford, Salford M5 4WT
> > > Tel +44 161 295 5351 Fax +44 161 745 8169
> > > Mobile +44 790 167 0359
> > > *NEW* Email D.W.Chadwick@salford.ac.uk *NEW*
> > > Home Page http://www.salford.ac.uk/its024/chadwick.htm
> > > Understanding X.500 http://www.salford.ac.uk/its024/X500.htm
> > > X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm
> > > Entrust key validation string MLJ9-DU5T-HV8J
> > >
> > > ***************************************************
> >
> > --
> > Sean Mullan Email: sean.mullan@sun.com
> > Sun Microsystems Laboratories Tel: (781) 442-0926
> > One Network Drive Fax: (781) 442-1692
> > Burlington, MA 01803-0902 << File: Card for Ella Paton Bassett >>