[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] draft-zeilenga-ldap-uuid-03 Feedback

To: "Tim Reilly" <tim.reilly@consultant.com>
Subject: Re: [ldapext] draft-zeilenga-ldap-uuid-03 Feedback
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Fri, 30 Jul 2004 09:29:25 -0700
Cc: hardie@qualcomm.com, paulle@microsoft.com, ldapext@ietf.org, michael@neonym.net, Rich Salz <rsalz@datapower.com>, sah@428cobrajet.net
In-reply-to: <DFELLFNEHCMNIPIBAAPGIELNEAAA.tim.reilly@consultant.com>
References: <DFELLFNEHCMNIPIBAAPGIELNEAAA.tim.reilly@consultant.com>

I've cc'ed the Apps ADs and Paul&Michael to ensure their awareness.
This I-D, as well as mealling-uuid-urn, are in 'IESG Evaluation'.


At 05:55 PM 7/29/2004, Tim Reilly wrote:
>Regarding
>http://www.ietf.org/internet-drafts/draft-zeilenga-ldap-uuid-03.txt I wish
>to provided a few points of feedback. First, this is great draft. UUID's
>have so many uses in the directory space this is an important addition. Rich
>Salz and I have been talking about it, and here's a few nits we found:
>
>1) The security section of the document should mention that security
>concerns have been raised about UUID version 1. One concern regards exposing
>the IEEE 802.1 address (mac address) to parties outside of the local
>network. In certain circumstances this might be a security risk. As an
>example here is a MSDN document that mentions the change in RPC
>implementation (section untitled "Remarks"):
>http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/uui
>dcreatesequential.asp stemming from this concern. Another type of security
>concern involves a privacy issue. It can be summarized as; a version 1
>time-based UUID that uses the IEEE 802.1 address as node identifier can
>"give away" both a time and a location - thus may unknowingly compromise the
>expectation of anonymity if one existed. Perhaps the section "Security
>Considerations" should mention these concerns?

My working copy includes some text in this area.  It will be available
for review shortly after IETF#60.

>2) The draft references ISO11578. Perhaps others share the feeling that it
>might be preferable to reference an IEFT document:
>http://www.ietf.org/internet-drafts/draft-mealling-uuid-urn-03.txt

It's my view that ldap-uuid and uuid-urn specifications should reference
a definitive specification for UUIDs.  I believe ISO11578 should be
viewed as the definitive UUID specification.  Unforunately, ISO11578
has a few deficiencies.  I hope to discuss this issue with Michael
and various IESG members next week at IETF#59.

>3) The ordering and matching is in conflict with "draft-mealling-uuid-urn"
>as well some other specifications that utilize guids/uuids; for example the
>draft references DCE RPC (appendix
>http://www.opengroup.org/onlinepubs/9629399/apdxa.htm)
>These other documents are in agreement in terms of octal ordering.

I think uuidOrderingMatch is agreement as well.

Kurt


_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

References:
- [ldapext] draft-zeilenga-ldap-uuid-03 Feedback
  - From: "Tim Reilly" <tim.reilly@consultant.com>

Prev by Date: [ldapext] draft-zeilenga-ldap-uuid-03 Feedback
Next by Date: RE: [ldapext] draft-zeilenga-ldap-uuid-03 Feedback
Index(es):
- Chronological
- Thread