Upload
mufutau-kramer
View
22
Download
1
Embed Size (px)
DESCRIPTION
News from the wonderful world of directories. Erik Andersen Denmark. Agenda. The position of X.500/LDAP X.500 enhancements Concept of Friends Attributes Paging on the DSP Maximum alignment with LDAP Enhancements to Public-key and Attribute certificates Enhancements to E.115 - PowerPoint PPT Presentation
Citation preview
International Telecommunication Union
ITU-T Study Group 17, Moscow, 30 March – 8 April 2005
News from the News from the wonderful world of wonderful world of
directoriesdirectoriesErik Andersen
Denmark
2dates
ITU-T
ITU-T Study Group 17, Moscow, 30 March – 8 April 2005
Agenda
The position of X.500/LDAPX.500 enhancements
a) Concept of Friends Attributesb) Paging on the DSPc) Maximum alignment with LDAPd) Enhancements to Public-key
and Attribute certificatesEnhancements to E.115
a) Functional enhancementsb) XML access
3dates
ITU-T
ITU-T Study Group 17, Moscow, 30 March – 8 April 2005
The X.500/LDAP DirectoryAn LDAP or X.500 directory is a general purpose directoryGives a set of specifications for:
how objects are represented by entries in a directoryhow objects represented in a directory are namedhow information about objects is created, organised, interrogated, updated and deleted
A directory can be distributed allowing:the establishment of a global Directoryinformation to be maintained by the owner of informationa separation between public and private domainspossibility for replication of information
4dates
ITU-T
ITU-T Study Group 17, Moscow, 30 March – 8 April 2005
Relationship between X.500 and LDAP (Lightweight Directory Access Protocol)
LDAP originally developed for X.500 accessLater developed own server specificationsUses the X.500 modelIdentical in many ways, except for syntax
X.500: Full use of ASN.1LDAP: Simple ASN.1 and Augmented Backus-Naur Form (ABNF)
Most X.500 implementations support LDAPLDAP widely implemented and used
X.500 LDAP
6dates
ITU-T
ITU-T Study Group 17, Moscow, 30 March – 8 April 2005
Editions of X.500 Directory Specifications
Developed by ISO/IEC and ITU-T (former CCITT) as:ISO/IEC 9594 multi-part International StandardITU-T X.500 Series of Recommendations
Four editions so far:Edition 2: ISO/IEC 9594:1995 | ITU-T X.500 (1993) Edition 1: ISO/IEC 9594:1990 | CCITT X.500 (1988)Edition 3: ISO/IEC 9594:1998 | ITU-T X.500 (1997)Edition 4: ISO/IEC 9594:2001 | ITU-T X.500 (2001)
7dates
ITU-T
ITU-T Study Group 17, Moscow, 30 March – 8 April 2005
X.500 5th edition enhancements
Concept of Friends Attributes
Paging on the DSP
Maximum alignment with LDAP
Enhancements to Public-key and Attribute certificates
Expected publication: During 2005
8dates
ITU-T
ITU-T Study Group 17, Moscow, 30 March – 8 April 2005
Friend attributesAttribute subtyping – same syntax:
name
commonName localityName surname givenName
Friend attributes – possibly different syntaxes:
commAddress
telephoneNumber(E.164 syntax)
url(RFC 1738 syntax)
email(RFC 822 syntax)
9dates
ITU-T
ITU-T Study Group 17, Moscow, 30 March – 8 April 2005
Paged results on the DSP
Bound DSA
DSA
DSA DSA
User DUA
DAP DSP
DSP DSP
DSPDSPDSP
Bound-DSA paged result
DSP paged result
10dates
ITU-T
ITU-T Study Group 17, Moscow, 30 March – 8 April 2005
Relationship between X.500 and LDAP (Lightweight Directory Access Protocol)
X.500 LDAP
11dates
ITU-T
ITU-T Study Group 17, Moscow, 30 March – 8 April 2005
Relationship between X.500 and LDAP with maximum alignment
X.500 LDAP
12dates
ITU-T
ITU-T Study Group 17, Moscow, 30 March – 8 April 2005
Maximum X.500 alignment with LDAP
o Alignment of concepts – add LDAP concepts to make LDAP concepts a subset of X.500 concepts.
o Simplify specifications – removal of dependency of lower layer documentation
o Alignment of operations (replace value)
o Multiple namespaces (Directory Information Trees)
o Directory consisting of LDAP and X.500 server mix
o ISO 10646 (UTF-8) matching
o Component matching
NOTE – One way alignment
13dates
ITU-T
ITU-T Study Group 17, Moscow, 30 March – 8 April 2005
A distributed directory
A directory
DSA
LDAPserver
DSA
DSADSA DUA
LDAPclient
LDAP
User
DUA User
DAP
DSP DSP
LDAP
14dates
ITU-T
ITU-T Study Group 17, Moscow, 30 March – 8 April 2005
Matching problem
keyUsage =digitalSignature
certificatePolicies = {…policyIdentifier = { a.b.c}}
Certificate 1
keyUsage =dataEncipherment
certificatePolicies = {…policyIdentifier = { a.b.d}}
Certificate 2
Directory entry
keyUsage = digitalSignatureAnd
policyIndentifier = { a b d }
Filter
Attribute
15dates
ITU-T
ITU-T Study Group 17, Moscow, 30 March – 8 April 2005
Component matching rule
ComponentMatch against component n
Component m
Component n
Component o
Attribute value
Evaluate to TRUE if matchCan be combined by AND, OR and NOT operations in any combination and nesting level onto a particular attribute value of a particular attribute typeEvaluates to TRUE if just one attribute value of the attribute type evaluates to TRUE
16dates
ITU-T
ITU-T Study Group 17, Moscow, 30 March – 8 April 2005
DirectoryString
DirectoryString { INTEGER : maxSize } ::= CHOICE {teletexString TeletexString (SIZE (1..maxSize)),printableString PrintableString (SIZE (1..maxSize)),bmpString BMPString (SIZE (1..maxSize)),universalString UniversalString (SIZE (1..maxSize)), uTF8String UTF8String (SIZE (1..maxSize)) }
17dates
ITU-T
ITU-T Study Group 17, Moscow, 30 March – 8 April 2005
ISO/IEC 10646The base character set standard
ISO/IEC 10646 - Universal Multiple-Octet Coded Character Set (UCS)Every character is coded in 4 octetsAllows encoding of all characters used by written languages all over the worldThe practical realisation is specified in the Unicode standard (produced by a consortium)Supports multiple encoding formats:
UTF-8 - octet orientedBMP (UCS-2) - half word orientedUTF-16 - half word orientedUCS-4 (UTF-32) - word oriented
19dates
ITU-T
ITU-T Study Group 17, Moscow, 30 March – 8 April 2005
UCS Transformation Format 8(UTF-8)
Defined in Annex D of ISO/IEC 10646-1 : 2003, Universal Multiple-Octet Coded Character Set (UCS)
Required by (almost) all Internet specifications
20dates
ITU-T
ITU-T Study Group 17, Moscow, 30 March – 8 April 2005
Format of octets in a UTF-8 sequence
Octet usage Format(binary)
No. of free bits
Max UCS-4-value
1st of 1 0xxxxxxx 7 00 00 00 7F1st of 2 110xxxxx 5 00 00 07 FF1st of 3 1110xxxx 4 00 00 FF FF1st of 4 11110xxx 3 00 1F FF FF1st of 5 111110 xx 2 03 FF FF FF1st of 6 1111110x 1 7F FF FF FF
Continuation
2nd .. 6th10xxxxxx 6
22dates
ITU-T
ITU-T Study Group 17, Moscow, 30 March – 8 April 2005
First problem
We need to compare names and valuesSome characters may be represented in several ways
It is not possible to do a simple bitwise comparison to check if two names or values
are equal!
23dates
ITU-T
ITU-T Study Group 17, Moscow, 30 March – 8 April 2005
Second problem
Comparison is most often done disregarding case differences
All upper case letters have to be converted to lower case letters before
comparison
24dates
ITU-T
ITU-T Study Group 17, Moscow, 30 March – 8 April 2005
String preparation
Octet wise comparison
Text string 1
Transcoded string 1
Transcoding
Mapped string 1
Mapping
Normalised string 1
Normalise
Text string 2
Transcoded string 2
Transcoding
Mapped string 2
Mapping
Normalised string 2
Normalise
25dates
ITU-T
ITU-T Study Group 17, Moscow, 30 March – 8 April 2005
X.509 enhancements
Notice of future revocation
Notice of revoked group of entries
Expired certificates on CRLs
Advanced certificate matching rule
XML encoded privilege information
Clarifications
Misc. enhancements to PMI
Etc.
26dates
ITU-T
ITU-T Study Group 17, Moscow, 30 March – 8 April 2005
EIDQ Association
Source: David Stafford, General Secretary EIDQ Association 27
Members (30 as at 17 Feb 2004)
28dates
ITU-T
ITU-T Study Group 17, Moscow, 30 March – 8 April 2005
E.115 - Computerized directory assistance
Operator
User
Local server
International server
E.115 protocol
29dates
ITU-T
ITU-T Study Group 17, Moscow, 30 March – 8 April 2005
ITU-T Rec. E.115 (2005) Computerized Directory Assistance
OSI stack removedHome grown TCP/IP support integrated in textSpecifies two versions of the protocolVersion 1:• The 1995 edition + all agreed extensions• All keywords specified in Annex• Complete rewrite and restructuring of 1995 edition• Added clarifications• ASN.1 BER encoding• Support mandatory
Version 2:• Keywords replaced by new fields – keyword concept no
longer used• Several new enhancements• ASN.1 BER and XML (or ASN.1 XER) encoding• Future extensions using ITU-T procedure
30dates
ITU-T
ITU-T Study Group 17, Moscow, 30 March – 8 April 2005
Version 2 design criteria
o Keep backward compatibility• Unchanged fields use same tag• Tags reserved for obsolete fields• Common text for unchanged fields
o Keep ASN.1 and XML Schema Definitions (XSD) aligned• ASN.1 XER encoding will produce same
encoding as the XSD• ASN.1 EXTENDED-XER encoding
instruction used
31dates
ITU-T
ITU-T Study Group 17, Moscow, 30 March – 8 April 2005
Example of ASN.1 specification
InquiryPart1 ::= [ TAG: APPLICATION 0 ] IMPLICIT SET { messageIndicators [ATTRIBUTE] [TAG: 0] IMPLICIT E115String (SIZE(4)), internationalIndicator [ATTRIBUTE] [TAG: 1] IMPLICIT E115NumericString (SIZE(8)), originatingTerminalCode [ATTRIBUTE] [TAG: 2] IMPLICIT E115String (SIZE(8)), dateAndTime [ATTRIBUTE] [TAG: 3] IMPLICIT E115NumericString (SIZE(12))OPTIONAL, messageNumber [ATTRIBUTE] [TAG: 4] IMPLICIT E115String (SIZE(4)) OPTIONAL }
32dates
ITU-T
ITU-T Study Group 17, Moscow, 30 March – 8 April 2005
Proximity search
33dates
ITU-T
ITU-T Study Group 17, Moscow, 30 March – 8 April 2005
ENDEND