Network Working Group S.E. Kille INTERNET--DRAFT University College London January 1991 Building an Internet Directory using X.500 Status of this Memo The IETF has established a Working Group on OSI Directory Services (IETF-OSI-DS). A major component of the initial work of this group is to establish a technical framework for establishing a Directory Service on the Internet, making use of the X.500 protocols and services [CCI88b ]. This document summarises the strategy established by the working group, and describes a number of RFCs which will be written in order to establish the technical framework. This draft document will be submitted to the RFC editor as an informational document. Distribution of this memo is unlimited. Please send comments to the author or to the discussion group . INTERNET--DRAFT Building an Internet Directory January 1991 1 Introduction There is substantial interest in establishing an OSI Directory Service on the Internet. There is pressure to establish a number of services on the Internet, including: o White Pages lookup of users. o Support for OSI Applications. o Support for X.509 Authentication for a range of application, including Privacy Enhanced Mail [Lin89 ]. The OSI Directory is viewed as the best basis for achieving these services, for both technical and political reasons. The OSI Directory Standards do not contain sufficient information to enable such a service to be built. Full openness and interoperability are a key goal, so service must not depend on private extensions or informal agreements. This document describes the missing components, and suggests a strategy for filling in the holes. The activity is being limited to (reasonably well) understood issues. This means that whilst we will attempt to solve a wide range of problems, that not all (potential) requirements will necessarily be met. 2 Schema A Directory needs to be used in the context of an Information Framework. The standard directory provides a number of a attributes and object classes to enable basic operation. It is certain that the Internet Community will have requirements for additional attributes and object classes. There is a need to establish a mechanism to register such information. Pilots in the European RARE Community and the US PSI White Pages Pilot have based their information framework on the THORN and RARE Naming Architecture [Kil89c ]. It is proposed to use this architecture for the Internet Pilot, in conjunction with COSINE based piloting in Europe. A revised version of the Naming Architecture will be produced, with a mechanism for registration of new attributes and object classes [KB90 ]. Kille Page 1 INTERNET--DRAFT Building an Internet Directory January 1991 3 Use on the Internet It is desirable to decouple deployment of the OSI Directory from deployment of the OSI lower layers. This pilot will not make any mandatory requirements about use of lower layers. When configuring the pilot, variations in the lower layers must be considered. The following options are possible: o Use of OSI Network Service (Connection Oriented or Connectionless). It is seen as fundamental to allow use of the OSI lower layers. o Operation over TCP/IP using RFC 1006 [RC87 ]. This is a practical requirement of deployment at very many Internet sites, and is the basis of the existing pilot. o X.25(80) will probably not be used in the infrastructure of the Internet Pilot, but is the basis of some European activities. There will be a practical need to interwork with DSAs which only support this stack. This approach has the following implications. 1. There is a need to represent TCP/IP addresses within OSI Network Addresses. An Internet Draft, based on a paper by Kille, should be taken as a starting point for this [Kil89a ]. It will be necessary to have in Internet Standard on this area. 2. It will be desirable to have a uniform method to present Network Addresses of this style. Therefore a string representation should be developed in parallel. The Internet Draft, based on a paper by Kille, should be used as a basis for this [Kil89b ]. 3. This choice leads to the situation where not all DSAs can communicate directly due the different choice of lower layers. This is already a practical result of many European sites operating DSAs over X.25. There may be a requirement to extend the distributed operations, so that there is no requirement for full connectivity. This issue will be dealt with in the documents to be generated according to Section 4. 4. When the pilot is deployed, the issue of which DSAs operate which stacks must be considered in order to achieve a coherent service. Kille Page 2 INTERNET--DRAFT Building an Internet Directory January 1991 4 Replication of Knowledge and Data There are a number of requirements on replication, both of data and knowledge information, which must be met before an Internet Directory can be deployed. It is clear that the 1988 standard cannot be used as is. Three solutions were noted: o Wait until the 1992 standard is available o Attempt to intercept the 1992 standard, probably by specification of subset functionality based on the current working documents, and in particular the CD on replication [CCI90 ]. o Use an interim approach It is necessary to define the minimum requirements. This is specified in a separate INTERNET--DRAFT [Kil90a ]. The third approach will be taken initially. It will be clearly emphasised that this is an interim approach, which will be phased out as soon as the appropriate standards are available and stable. An interim approach, based on the approach used in the QUIPU Implementation and deployed in existing pilots will be used [Kil88 ]. These are being documented in an INTERNET--DRAFT [Kil90b ]. 5 Security A Directory and Security are closely related. There is no requirement for specification of any Internet specific approaches at this stage. Deployment of a directory could be based on one of: o Read only system, containing only public data and using local modification. o Use of X.509 authentication, and private access control mechanisms (this will not allow open access control management, but this is not seen as a fundamental problem) [CCI88a ]. A specification on security for the Internet Directory should be developed. This should specify: o Internet requirements for security in the Directory o A recommendation of how to use X.509 Kille Page 3 INTERNET--DRAFT Building an Internet Directory January 1991 o Recommendation on service requirements for access control, as a hint to implementors who attempt to intercept the 1992 standard or develop private mechanisms o A note on security issues (authentication, policy, access control) not being addressed by the standards work, which might require future work o Requirements and recommendations for implementors (e.g., in terms of maintaining data confidentiality within an Organisation) 6 Presentation of Directory Names The standard does not specify a means to present directory names to the user. This is seen as a serious deficiency, and a standard for presenting directory names should be developed. The ``User Friendly Name'' specification by Kille should be submitted as an Internet Draft, as a starting point for this work [Kil90c ]. 7 Name Allocation When the directory is deployed, there will be a need to allocate the top levels of the DIT. Most aspects will need to be tackled on a national basis. This group will consider name allocations at the top of the DIT, and will look at handling of the US part of the DIT. The major aim here will be to ensure that the Internet takes an, approach aligned to that of the NADF (Norh American Directory Forum). 8 DSA Naming and MD Structure There are some critical issues related to naming of DSAs and the structure of Directory Management Domains. It is likely that there will need to be recommendations on how to handle this. 9 Relation to DNS It is important to establish the relationship between the proposed Internet Directory, and the existing Domain Name System. One input to this work should be the Internet Draft by Kille, to be updated before the meeting [Kil89d ]. Kille Page 4 INTERNET--DRAFT Building an Internet Directory January 1991 10 Documents and Timescales The following work is being undertaken following the Boulder IETF Meeting. Schema Revise Cosine and Internet Naming Architecture. P. Barker/S.E. Kille [KB90 ] Network Address Encoding Revise the Internet Draft [Kil89a ]. S.E. Kille. Address String Encoding No changes needed to the Internet Draft [Kil89b ]. S.E. Kille. Replication Requirements Revise the Internet Draft [Kil90a ]. S.E Kille. Replication Solution Revise the Internet Draft [Kil90b ]. S.E. Kille. Security Revise the tabled paper and submit as an Internet Draft. P. Yee/B. Manning Directory Name Presentation Revise the Internet Draft [Kil90c ]. S.E. Kille. Relation to DNS (Domains and X.500) Revise the Internet Draft [Kil89d ]. S.E. Kille. The changes to this document were agreed at the Boulder meeting. It is expected to progress this document to RFC Status in January 1991. The remainder of the documents will be reviewed at the meeting at SRI in February. It is intended to release all of them as RFCs following this meeting. This will allow deployment of the Interenet Directory during 1991. References [CCI88a] The directory --- authentication framework, December 1988. CCITT Recommendation X.509. [CCI88b] The directory - overview of concepts, models and services, December 1988. CCITT X.500 Series Recommendations. [CCI90] The directory --- part 9 --- replication, October 1990. ISO/IEC CD 9594-9 Ottowa ouput. Kille Page 5 INTERNET--DRAFT Building an Internet Directory January 1991 [KB90] S.E. Kille and P. Barker. The COSINE and Internet X.500 naming architecture, December 1990. Internet Draft: draft-ietf-osids-cosinex500-01.txt. [Kil88] S.E. Kille. The QUIPU directory service. In IFIP WG 6.5 Conference on Message Handling Systems and Distributed Applications, pages 173--186. North Holland Publishing, October 1988. [Kil89a] S.E. Kille. An interim approach to use of network addresses. Research Note RN/89/13, Department of Computer Science, University College London, February 1989. Internet Draft: draft-ucl-kille-networkaddresses-01.txt, ps. [Kil89b] S.E. Kille. A string encoding of presentation address. Research Note RN/89/14, Department of Computer Science, University College London, February 1989. Internet Draft: draft-ucl-kille-presentationaddress-01.txt, ps. [Kil89c] S.E. Kille. The THORN and RARE naming architecture. Technical report, Department of Computer Science, University College London, June 1989. THORN Report UCL-64 (version 2). [Kil89d] S.E. Kille. X.500 and domains. Research Note RN/89/47, Department of Computer Science, University College London, May 1989. Also Internet Draft: DRAFT-UCL-KILLE-X500DOMAINS-00.PS. [Kil90a] S.E. Kille. Replication requirement to provide an internet directory using X.500, November 1990. Internet Draft: draft-ietf-osids-replication-00.txt. [Kil90b] S.E. Kille. Replication requirement to provide an internet directory using X.500: A proposed solution, November 1990. Internet Draft: draft-ietf-osids-replsoln-00.txt, ps. [Kil90c] S.E. Kille. Using the osi directory to achieve user friendly naming. Research Note RN/90/29, Department of Computer Science, University College London, February 1990. Internet Draft: draft-ietf-osids-friendlynaming-00.txt, ps. [Lin89] J. Linn. Privacy Enhancement for Internet Electronic Mail: Part 1 --- Message Encipherment and Authentication Procedures. Request for Comments 1113, DDN Network Information Center, SRI International, August 1989. Kille Page 6 INTERNET--DRAFT Building an Internet Directory January 1991 [RC87] Marshall T. Rose and Dwight E. Cass. ISO Transport Services on top of the TCP. Request for Comments 1006, DDN Network Information Center, SRI International, May 1987. 11 Security Considerations Security considerations are discussed in Section 5 of this INTERNET--DRAFT . 12 Author's Address Steve Kille Department of Computer Science University College London Gower Street WC1E 6BT England Phone: +44-71-380-7294 EMail: S.Kille@CS.UCL.AC.UK Kille Page 7