[Date Prev][Date Next] [Chronological] [Thread] [Top]

[ldapext] draft-zeilenga-ldap-uuid-03 Feedback

To: <ldapext@ietf.org>
Subject: [ldapext] draft-zeilenga-ldap-uuid-03 Feedback
From: "Tim Reilly" <tim.reilly@consultant.com>
Date: Thu, 29 Jul 2004 20:55:20 -0400
Cc: Rich Salz <rsalz@datapower.com>
Importance: Normal

Regarding
http://www.ietf.org/internet-drafts/draft-zeilenga-ldap-uuid-03.txt I wish
to provided a few points of feedback. First, this is great draft. UUID's
have so many uses in the directory space this is an important addition. Rich
Salz and I have been talking about it, and here's a few nits we found:

1) The security section of the document should mention that security
concerns have been raised about UUID version 1. One concern regards exposing
the IEEE 802.1 address (mac address) to parties outside of the local
network. In certain circumstances this might be a security risk. As an
example here is a MSDN document that mentions the change in RPC
implementation (section untitled "Remarks"):
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/uui
dcreatesequential.asp stemming from this concern. Another type of security
concern involves a privacy issue. It can be summarized as; a version 1
time-based UUID that uses the IEEE 802.1 address as node identifier can
"give away" both a time and a location - thus may unknowingly compromise the
expectation of anonymity if one existed. Perhaps the section "Security
Considerations" should mention these concerns?

2) The draft references ISO11578. Perhaps others share the feeling that it
might be preferable to reference an IEFT document:
http://www.ietf.org/internet-drafts/draft-mealling-uuid-urn-03.txt One
reason to prefer citing another IEFT document would be to maintain awareness
of the work underway in regards to the UUID specification; as well, it would
provide potentially favorable 'endorsement' of the IETF organization in
general. The ISO document requires that one pay to access the document; as
matter of personal principle perhaps this is not 'best practice' with
regards to standards documents. Having said that I realize the document
suggested is also in the draft stage (although it and previous related
drafts have become 'well known'.) Supposing that referencing from one draft
to another draft is objectionable, then perhaps once mealling-uuid-urn
reaches RFC status it might be used as the reference? Rich has informed me
the ISO doc is going to be superceded soon by another iso doc that is based
on the mealling one. The "mealling" document also does a better job of
addressing security concerns.

3) The ordering and matching is in conflict with "draft-mealling-uuid-urn"
as well some other specifications that utilize guids/uuids; for example the
draft references DCE RPC (appendix
http://www.opengroup.org/onlinepubs/9629399/apdxa.htm)
These other documents are in agreement in terms of octal ordering. My
concern is that the user of a UUID implementation may not be aware of the
ordering difference being dependent upon on usage: LDAP versus another use.
I'd like to inquire into the rationale for the difference in ordering?

Looking forward to your comments.
- Tim Reilly


_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

Follow-Ups:
- Re: [ldapext] draft-zeilenga-ldap-uuid-03 Feedback
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: [ldapext] Searchable distinguishedValue operational attribute
Next by Date: Re: [ldapext] draft-zeilenga-ldap-uuid-03 Feedback
Index(es):
- Chronological
- Thread