News from the wonderful world of directories Erik Andersen Denmark
Agenda The position of X.500/LDAP X.500 enhancements Concept of Friends Attributes Paging on the DSP Maximum alignment with LDAP Enhancements to Public-key and Attribute certificates Enhancements to E.115 Functional enhancements XML access dates
The X.500/LDAP Directory An LDAP or X.500 directory is a general purpose directory Gives a set of specifications for: how objects are represented by entries in a directory how objects represented in a directory are named how information about objects is created, organised, interrogated, updated and deleted A directory can be distributed allowing: the establishment of a global Directory information to be maintained by the owner of information a separation between public and private domains possibility for replication of information dates
X.500 LDAP LDAP originally developed for X.500 access Relationship between X.500 and LDAP (Lightweight Directory Access Protocol) X.500 LDAP LDAP originally developed for X.500 access Later developed own server specifications Uses the X.500 model Identical in many ways, except for syntax X.500: Full use of ASN.1 LDAP: Simple ASN.1 and Augmented Backus-Naur Form (ABNF) Most X.500 implementations support LDAP LDAP widely implemented and used dates
Editions of X.500 Directory Specifications Developed by ISO/IEC and ITU-T (former CCITT) as: ISO/IEC 9594 multi-part International Standard ITU-T X.500 Series of Recommendations Four editions so far: Edition 2: ISO/IEC 9594:1995 | ITU-T X.500 (1993) Edition 1: ISO/IEC 9594:1990 | CCITT X.500 (1988) Edition 3: ISO/IEC 9594:1998 | ITU-T X.500 (1997) Edition 4: ISO/IEC 9594:2001 | ITU-T X.500 (2001) dates
X.500 5th edition enhancements Expected publication: During 2005 Concept of Friends Attributes Paging on the DSP Maximum alignment with LDAP Enhancements to Public-key and Attribute certificates dates
Friend attributes Attribute subtyping – same syntax: name commonName localityName surname givenName Friend attributes – possibly different syntaxes: commAddress email (RFC 822 syntax) url (RFC 1738 syntax) telephoneNumber (E.164 syntax) dates
Paged results on the DSP DSP paged result Bound-DSA paged result User DUA DSP DSA DAP DSP DSP DSP Bound DSA DSP DSP DSA DSA dates
Relationship between X Relationship between X.500 and LDAP (Lightweight Directory Access Protocol) X.500 LDAP dates
Relationship between X.500 and LDAP with maximum alignment dates
Maximum X.500 alignment with LDAP NOTE – One way alignment Alignment of concepts – add LDAP concepts to make LDAP concepts a subset of X.500 concepts. Simplify specifications – removal of dependency of lower layer documentation Alignment of operations (replace value) Multiple namespaces (Directory Information Trees) Directory consisting of LDAP and X.500 server mix ISO 10646 (UTF-8) matching Component matching dates
A distributed directory LDAP server DUA User DSA DAP LDAP DSA DSP DSP A directory LDAP client User DSA DSA DUA LDAP dates
keyUsage = digitalSignature policyIndentifier = { a b d } Matching problem Filter keyUsage = digitalSignature And policyIndentifier = { a b d } Directory entry Attribute Certificate 1 keyUsage = dataEncipherment certificatePolicies = { … policyIdentifier = { a.b.d}} Certificate 2 keyUsage = digitalSignature certificatePolicies = { … policyIdentifier = { a.b.c}} dates
Component matching rule ComponentMatch against component n Component m Component n Component o Attribute value Evaluate to TRUE if match Can be combined by AND, OR and NOT operations in any combination and nesting level onto a particular attribute value of a particular attribute type Evaluates to TRUE if just one attribute value of the attribute type evaluates to TRUE dates
DirectoryString DirectoryString { INTEGER : maxSize } ::= CHOICE { teletexString TeletexString (SIZE (1..maxSize)), printableString PrintableString (SIZE (1..maxSize)), bmpString BMPString (SIZE (1..maxSize)), universalString UniversalString (SIZE (1..maxSize)), uTF8String UTF8String (SIZE (1..maxSize)) } dates
ISO/IEC 10646 The base character set standard ISO/IEC 10646 - Universal Multiple-Octet Coded Character Set (UCS) Every character is coded in 4 octets Allows encoding of all characters used by written languages all over the world The practical realisation is specified in the Unicode standard (produced by a consortium) Supports multiple encoding formats: UTF-8 - octet oriented BMP (UCS-2) - half word oriented UTF-16 - half word oriented UCS-4 (UTF-32) - word oriented dates
UCS Transformation Format 8 (UTF-8) Defined in Annex D of ISO/IEC 10646-1 : 2003, Universal Multiple-Octet Coded Character Set (UCS) Required by (almost) all Internet specifications dates
Format of octets in a UTF-8 sequence Octet usage Format (binary) No. of free bits Max UCS-4-value 1st of 1 0xxxxxxx 7 00 00 00 7F 1st of 2 110xxxxx 5 00 00 07 FF 1st of 3 1110xxxx 4 00 00 FF FF 1st of 4 11110xxx 3 00 1F FF FF 1st of 5 111110 xx 2 03 FF FF FF 1st of 6 1111110x 1 7F FF FF FF Continuation 2nd .. 6th 10xxxxxx 6 dates
First problem We need to compare names and values Some characters may be represented in several ways It is not possible to do a simple bitwise comparison to check if two names or values are equal! dates
Comparison is most often done disregarding case differences Second problem Comparison is most often done disregarding case differences All upper case letters have to be converted to lower case letters before comparison dates
String preparation Text string 1 Transcoded string 1 Transcoding Mapped string 1 Mapping Normalised string 1 Normalise Text string 2 Transcoding Transcoded string 2 Mapping Mapped string 2 Normalise Normalised string 2 Octet wise comparison dates
X.509 enhancements Notice of future revocation Notice of revoked group of entries Expired certificates on CRLs Advanced certificate matching rule XML encoded privilege information Clarifications Misc. enhancements to PMI Etc. dates
EIDQ Association dates
Members (30 as at 17 Feb 2004)
E.115 - Computerized directory assistance User International server E.115 protocol Operator Local server dates
ITU-T Rec. E.115 (2005) Computerized Directory Assistance OSI stack removed Home grown TCP/IP support integrated in text Specifies two versions of the protocol Version 1: The 1995 edition + all agreed extensions All keywords specified in Annex Complete rewrite and restructuring of 1995 edition Added clarifications ASN.1 BER encoding Support mandatory Version 2: Keywords replaced by new fields – keyword concept no longer used Several new enhancements ASN.1 BER and XML (or ASN.1 XER) encoding Future extensions using ITU-T procedure dates
Version 2 design criteria Keep backward compatibility Unchanged fields use same tag Tags reserved for obsolete fields Common text for unchanged fields Keep ASN.1 and XML Schema Definitions (XSD) aligned ASN.1 XER encoding will produce same encoding as the XSD ASN.1 EXTENDED-XER encoding instruction used dates
Example of ASN.1 specification InquiryPart1 ::= [ TAG: APPLICATION 0 ] IMPLICIT SET { messageIndicators [ATTRIBUTE] [TAG: 0] IMPLICIT E115String (SIZE(4)), internationalIndicator [ATTRIBUTE] [TAG: 1] IMPLICIT E115NumericString (SIZE(8)), originatingTerminalCode [ATTRIBUTE] [TAG: 2] IMPLICIT E115String (SIZE(8)), dateAndTime [ATTRIBUTE] [TAG: 3] IMPLICIT E115NumericString (SIZE(12))OPTIONAL, messageNumber [ATTRIBUTE] [TAG: 4] IMPLICIT E115String (SIZE(4)) OPTIONAL } dates
Proximity search dates
END dates