News from the wonderful world of directories

International Telecommunication Union

ITU-T Study Group 17, Moscow, 30 March – 8 April 2005

News from the News from the wonderful world of wonderful world of

directoriesdirectoriesErik Andersen

Denmark

2dates

ITU-T


Agenda

The position of X.500/LDAPX.500 enhancements

a) Concept of Friends Attributesb) Paging on the DSPc) Maximum alignment with LDAPd) Enhancements to Public-key

and Attribute certificatesEnhancements to E.115

a) Functional enhancementsb) XML access

3dates

ITU-T


The X.500/LDAP DirectoryAn LDAP or X.500 directory is a general purpose directoryGives a set of specifications for:

how objects are represented by entries in a directoryhow objects represented in a directory are namedhow information about objects is created, organised, interrogated, updated and deleted

A directory can be distributed allowing:the establishment of a global Directoryinformation to be maintained by the owner of informationa separation between public and private domainspossibility for replication of information

4dates

ITU-T


Relationship between X.500 and LDAP (Lightweight Directory Access Protocol)

LDAP originally developed for X.500 accessLater developed own server specificationsUses the X.500 modelIdentical in many ways, except for syntax

X.500: Full use of ASN.1LDAP: Simple ASN.1 and Augmented Backus-Naur Form (ABNF)

Most X.500 implementations support LDAPLDAP widely implemented and used

X.500 LDAP

6dates

ITU-T


Editions of X.500 Directory Specifications

Developed by ISO/IEC and ITU-T (former CCITT) as:ISO/IEC 9594 multi-part International StandardITU-T X.500 Series of Recommendations

Four editions so far:Edition 2: ISO/IEC 9594:1995 | ITU-T X.500 (1993) Edition 1: ISO/IEC 9594:1990 | CCITT X.500 (1988)Edition 3: ISO/IEC 9594:1998 | ITU-T X.500 (1997)Edition 4: ISO/IEC 9594:2001 | ITU-T X.500 (2001)

7dates

ITU-T


X.500 5th edition enhancements

Concept of Friends Attributes

Paging on the DSP

Maximum alignment with LDAP

Enhancements to Public-key and Attribute certificates

Expected publication: During 2005

8dates

ITU-T


Friend attributesAttribute subtyping – same syntax:

name

commonName localityName surname givenName

Friend attributes – possibly different syntaxes:

commAddress

telephoneNumber(E.164 syntax)

url(RFC 1738 syntax)

email(RFC 822 syntax)

9dates

ITU-T


Paged results on the DSP

Bound DSA

DSA

DSA DSA

User DUA

DAP DSP

DSP DSP

DSPDSPDSP

Bound-DSA paged result

DSP paged result

10dates

ITU-T


Relationship between X.500 and LDAP (Lightweight Directory Access Protocol)

X.500 LDAP

11dates

ITU-T


Relationship between X.500 and LDAP with maximum alignment

X.500 LDAP

12dates

ITU-T


Maximum X.500 alignment with LDAP

o Alignment of concepts – add LDAP concepts to make LDAP concepts a subset of X.500 concepts.

o Simplify specifications – removal of dependency of lower layer documentation

o Alignment of operations (replace value)

o Multiple namespaces (Directory Information Trees)

o Directory consisting of LDAP and X.500 server mix

o ISO 10646 (UTF-8) matching

o Component matching

NOTE – One way alignment

13dates

ITU-T


A distributed directory

A directory

DSA

LDAPserver

DSA

DSADSA DUA

LDAPclient

LDAP

User

DUA User

DAP

DSP DSP

LDAP

14dates

ITU-T


Matching problem

keyUsage =digitalSignature

certificatePolicies = {…policyIdentifier = { a.b.c}}

Certificate 1

keyUsage =dataEncipherment

certificatePolicies = {…policyIdentifier = { a.b.d}}

Certificate 2

Directory entry

keyUsage = digitalSignatureAnd

policyIndentifier = { a b d }

Filter

Attribute

15dates

ITU-T


Component matching rule

ComponentMatch against component n

Component m

Component n

Component o

Attribute value

Evaluate to TRUE if matchCan be combined by AND, OR and NOT operations in any combination and nesting level onto a particular attribute value of a particular attribute typeEvaluates to TRUE if just one attribute value of the attribute type evaluates to TRUE

16dates

ITU-T


DirectoryString

DirectoryString { INTEGER : maxSize } ::= CHOICE {teletexString TeletexString (SIZE (1..maxSize)),printableString PrintableString (SIZE (1..maxSize)),bmpString BMPString (SIZE (1..maxSize)),universalString UniversalString (SIZE (1..maxSize)), uTF8String UTF8String (SIZE (1..maxSize)) }

Erik Andersen

Et directory distinguished name består af en række navnekomponenter. Selv om det ikke er direkte krævet, så er disse navnekomponenter i praksis attributter med DirectoryString som syntax. Så, spørgsmålet om håndtering af navne er er spørgsmål om, hvorledes en DirectoryString syntax håndteres. Her skal specielt fokuseres på en UTF8´String, men også på den mere generelle UniversalString og BMPString.

17dates

ITU-T


ISO/IEC 10646The base character set standard

ISO/IEC 10646 - Universal Multiple-Octet Coded Character Set (UCS)Every character is coded in 4 octetsAllows encoding of all characters used by written languages all over the worldThe practical realisation is specified in the Unicode standard (produced by a consortium)Supports multiple encoding formats:

UTF-8 - octet orientedBMP (UCS-2) - half word orientedUTF-16 - half word orientedUCS-4 (UTF-32) - word oriented

19dates

ITU-T


UCS Transformation Format 8(UTF-8)

Defined in Annex D of ISO/IEC 10646-1 : 2003, Universal Multiple-Octet Coded Character Set (UCS)

Required by (almost) all Internet specifications

20dates

ITU-T


Format of octets in a UTF-8 sequence

Octet usage Format(binary)

No. of free bits

Max UCS-4-value

1st of 1 0xxxxxxx 7 00 00 00 7F1st of 2 110xxxxx 5 00 00 07 FF1st of 3 1110xxxx 4 00 00 FF FF1st of 4 11110xxx 3 00 1F FF FF1st of 5 111110 xx 2 03 FF FF FF1st of 6 1111110x 1 7F FF FF FF

Continuation

2nd .. 6th10xxxxxx 6

22dates

ITU-T


First problem

We need to compare names and valuesSome characters may be represented in several ways

It is not possible to do a simple bitwise comparison to check if two names or values

are equal!

23dates

ITU-T


Second problem

Comparison is most often done disregarding case differences

All upper case letters have to be converted to lower case letters before

comparison

24dates

ITU-T


String preparation

Octet wise comparison

Text string 1

Transcoded string 1

Transcoding

Mapped string 1

Mapping

Normalised string 1

Normalise

Text string 2

Transcoded string 2

Transcoding

Mapped string 2

Mapping

Normalised string 2

Normalise

25dates

ITU-T


X.509 enhancements

Notice of future revocation

Notice of revoked group of entries

Expired certificates on CRLs

Advanced certificate matching rule

XML encoded privilege information

Clarifications

Misc. enhancements to PMI

Etc.

26dates

ITU-T


EIDQ Association

Source: David Stafford, General Secretary EIDQ Association 27

Members (30 as at 17 Feb 2004)

28dates

ITU-T


E.115 - Computerized directory assistance

Operator

User

Local server

International server

E.115 protocol

29dates

ITU-T


ITU-T Rec. E.115 (2005) Computerized Directory Assistance

OSI stack removedHome grown TCP/IP support integrated in textSpecifies two versions of the protocolVersion 1:• The 1995 edition + all agreed extensions• All keywords specified in Annex• Complete rewrite and restructuring of 1995 edition• Added clarifications• ASN.1 BER encoding• Support mandatory

Version 2:• Keywords replaced by new fields – keyword concept no

longer used• Several new enhancements• ASN.1 BER and XML (or ASN.1 XER) encoding• Future extensions using ITU-T procedure

30dates

ITU-T


Version 2 design criteria

o Keep backward compatibility• Unchanged fields use same tag• Tags reserved for obsolete fields• Common text for unchanged fields

o Keep ASN.1 and XML Schema Definitions (XSD) aligned• ASN.1 XER encoding will produce same

encoding as the XSD• ASN.1 EXTENDED-XER encoding

instruction used

31dates

ITU-T


Example of ASN.1 specification

InquiryPart1 ::= [ TAG: APPLICATION 0 ] IMPLICIT SET { messageIndicators [ATTRIBUTE] [TAG: 0] IMPLICIT E115String (SIZE(4)), internationalIndicator [ATTRIBUTE] [TAG: 1] IMPLICIT E115NumericString (SIZE(8)), originatingTerminalCode [ATTRIBUTE] [TAG: 2] IMPLICIT E115String (SIZE(8)), dateAndTime [ATTRIBUTE] [TAG: 3] IMPLICIT E115NumericString (SIZE(12))OPTIONAL, messageNumber [ATTRIBUTE] [TAG: 4] IMPLICIT E115String (SIZE(4)) OPTIONAL }

32dates

ITU-T


Proximity search

33dates

ITU-T


ENDEND

Documents

News from the wonderful world of directories