Network Working Group S.E. Kille
INTERNET--DRAFT University College London
January 1991
Building an Internet Directory using X.500
Status of this Memo
The IETF has established a Working Group on OSI Directory Services
(IETF-OSI-DS). A major component of the initial work of this group is
to establish a technical framework for establishing a Directory
Service on the Internet, making use of the X.500 protocols and
services [CCI88b ]. This document summarises the strategy established
by the working group, and describes a number of RFCs which will be
written in order to establish the technical framework.
This draft document will be submitted to the RFC editor as an
informational document. Distribution of this memo is unlimited.
Please send comments to the author or to the discussion group
<osi-ds@CS.UCL.AC.UK>.
�
INTERNET--DRAFT Building an Internet Directory January 1991
1 Introduction
There is substantial interest in establishing an OSI Directory Service
on the Internet. There is pressure to establish a number of services
on the Internet, including:
o White Pages lookup of users.
o Support for OSI Applications.
o Support for X.509 Authentication for a range of application,
including Privacy Enhanced Mail [Lin89 ].
The OSI Directory is viewed as the best basis for achieving these
services, for both technical and political reasons.
The OSI Directory Standards do not contain sufficient information to
enable such a service to be built. Full openness and interoperability
are a key goal, so service must not depend on private extensions or
informal agreements. This document describes the missing components,
and suggests a strategy for filling in the holes.
The activity is being limited to (reasonably well) understood issues.
This means that whilst we will attempt to solve a wide range of
problems, that not all (potential) requirements will necessarily be
met.
2 Schema
A Directory needs to be used in the context of an Information
Framework. The standard directory provides a number of a attributes
and object classes to enable basic operation. It is certain that the
Internet Community will have requirements for additional attributes
and object classes. There is a need to establish a mechanism to
register such information.
Pilots in the European RARE Community and the US PSI White Pages Pilot
have based their information framework on the THORN and RARE Naming
Architecture [Kil89c ]. It is proposed to use this architecture for
the Internet Pilot, in conjunction with COSINE based piloting in
Europe. A revised version of the Naming Architecture will be
produced, with a mechanism for registration of new attributes and
object classes [KB90 ].
Kille Page 1
�
INTERNET--DRAFT Building an Internet Directory January 1991
3 Use on the Internet
It is desirable to decouple deployment of the OSI Directory from
deployment of the OSI lower layers. This pilot will not make any
mandatory requirements about use of lower layers. When configuring
the pilot, variations in the lower layers must be considered. The
following options are possible:
o Use of OSI Network Service (Connection Oriented or
Connectionless). It is seen as fundamental to allow use of the
OSI lower layers.
o Operation over TCP/IP using RFC 1006 [RC87 ]. This is a practical
requirement of deployment at very many Internet sites, and is the
basis of the existing pilot.
o X.25(80) will probably not be used in the infrastructure of the
Internet Pilot, but is the basis of some European activities.
There will be a practical need to interwork with DSAs which only
support this stack.
This approach has the following implications.
1. There is a need to represent TCP/IP addresses within OSI Network
Addresses. An Internet Draft, based on a paper by Kille, should
be taken as a starting point for this [Kil89a ]. It will be
necessary to have in Internet Standard on this area.
2. It will be desirable to have a uniform method to present Network
Addresses of this style. Therefore a string representation should
be developed in parallel. The Internet Draft, based on a paper by
Kille, should be used as a basis for this [Kil89b ].
3. This choice leads to the situation where not all DSAs can
communicate directly due the different choice of lower layers.
This is already a practical result of many European sites
operating DSAs over X.25. There may be a requirement to extend
the distributed operations, so that there is no requirement for
full connectivity. This issue will be dealt with in the documents
to be generated according to Section 4.
4. When the pilot is deployed, the issue of which DSAs operate which
stacks must be considered in order to achieve a coherent service.
Kille Page 2
�
INTERNET--DRAFT Building an Internet Directory January 1991
4 Replication of Knowledge and Data
There are a number of requirements on replication, both of data and
knowledge information, which must be met before an Internet Directory
can be deployed. It is clear that the 1988 standard cannot be used as
is. Three solutions were noted:
o Wait until the 1992 standard is available
o Attempt to intercept the 1992 standard, probably by specification
of subset functionality based on the current working documents,
and in particular the CD on replication [CCI90 ].
o Use an interim approach
It is necessary to define the minimum requirements. This is specified
in a separate INTERNET--DRAFT [Kil90a ].
The third approach will be taken initially. It will be clearly
emphasised that this is an interim approach, which will be phased out
as soon as the appropriate standards are available and stable. An
interim approach, based on the approach used in the QUIPU
Implementation and deployed in existing pilots will be used [Kil88 ].
These are being documented in an INTERNET--DRAFT [Kil90b ].
5 Security
A Directory and Security are closely related. There is no requirement
for specification of any Internet specific approaches at this stage.
Deployment of a directory could be based on one of:
o Read only system, containing only public data and using local
modification.
o Use of X.509 authentication, and private access control mechanisms
(this will not allow open access control management, but this is
not seen as a fundamental problem) [CCI88a ].
A specification on security for the Internet Directory should be
developed. This should specify:
o Internet requirements for security in the Directory
o A recommendation of how to use X.509
Kille Page 3
�
INTERNET--DRAFT Building an Internet Directory January 1991
o Recommendation on service requirements for access control, as a
hint to implementors who attempt to intercept the 1992 standard or
develop private mechanisms
o A note on security issues (authentication, policy, access control)
not being addressed by the standards work, which might require
future work
o Requirements and recommendations for implementors (e.g., in terms
of maintaining data confidentiality within an Organisation)
6 Presentation of Directory Names
The standard does not specify a means to present directory names to
the user. This is seen as a serious deficiency, and a standard for
presenting directory names should be developed. The ``User Friendly
Name'' specification by Kille should be submitted as an Internet
Draft, as a starting point for this work [Kil90c ].
7 Name Allocation
When the directory is deployed, there will be a need to allocate the
top levels of the DIT. Most aspects will need to be tackled on a
national basis. This group will consider name allocations at the top
of the DIT, and will look at handling of the US part of the DIT. The
major aim here will be to ensure that the Internet takes an, approach
aligned to that of the NADF (Norh American Directory Forum).
8 DSA Naming and MD Structure
There are some critical issues related to naming of DSAs and the
structure of Directory Management Domains. It is likely that there
will need to be recommendations on how to handle this.
9 Relation to DNS
It is important to establish the relationship between the proposed
Internet Directory, and the existing Domain Name System. One input to
this work should be the Internet Draft by Kille, to be updated before
the meeting [Kil89d ].
Kille Page 4
�
INTERNET--DRAFT Building an Internet Directory January 1991
10 Documents and Timescales
The following work is being undertaken following the Boulder IETF
Meeting.
Schema Revise Cosine and Internet Naming Architecture.
P. Barker/S.E. Kille [KB90 ]
Network Address Encoding Revise the Internet Draft [Kil89a ].
S.E. Kille.
Address String Encoding No changes needed to the Internet Draft
[Kil89b ]. S.E. Kille.
Replication Requirements Revise the Internet Draft [Kil90a ]. S.E
Kille.
Replication Solution Revise the Internet Draft [Kil90b ]. S.E. Kille.
Security Revise the tabled paper and submit as an Internet Draft.
P. Yee/B. Manning
Directory Name Presentation Revise the Internet Draft [Kil90c ].
S.E. Kille.
Relation to DNS (Domains and X.500) Revise the Internet Draft
[Kil89d ]. S.E. Kille.
The changes to this document were agreed at the Boulder meeting. It
is expected to progress this document to RFC Status in January 1991.
The remainder of the documents will be reviewed at the meeting at SRI
in February. It is intended to release all of them as RFCs following
this meeting. This will allow deployment of the Interenet Directory
during 1991.
References
[CCI88a] The directory --- authentication framework, December 1988.
CCITT Recommendation X.509.
[CCI88b] The directory - overview of concepts, models and services,
December 1988. CCITT X.500 Series Recommendations.
[CCI90] The directory --- part 9 --- replication, October 1990.
ISO/IEC CD 9594-9 Ottowa ouput.
Kille Page 5
�
INTERNET--DRAFT Building an Internet Directory January 1991
[KB90] S.E. Kille and P. Barker. The COSINE and Internet X.500
naming architecture, December 1990. Internet Draft:
draft-ietf-osids-cosinex500-01.txt.
[Kil88] S.E. Kille. The QUIPU directory service. In IFIP WG 6.5
Conference on Message Handling Systems and Distributed
Applications, pages 173--186. North Holland Publishing,
October 1988.
[Kil89a] S.E. Kille. An interim approach to use of network addresses.
Research Note RN/89/13, Department of Computer Science,
University College London, February 1989. Internet Draft:
draft-ucl-kille-networkaddresses-01.txt, ps.
[Kil89b] S.E. Kille. A string encoding of presentation address.
Research Note RN/89/14, Department of Computer Science,
University College London, February 1989. Internet Draft:
draft-ucl-kille-presentationaddress-01.txt, ps.
[Kil89c] S.E. Kille. The THORN and RARE naming architecture. Technical
report, Department of Computer Science, University College
London, June 1989. THORN Report UCL-64 (version 2).
[Kil89d] S.E. Kille. X.500 and domains. Research Note RN/89/47,
Department of Computer Science, University College London,
May 1989. Also Internet Draft:
DRAFT-UCL-KILLE-X500DOMAINS-00.PS.
[Kil90a] S.E. Kille. Replication requirement to provide an internet
directory using X.500, November 1990. Internet Draft:
draft-ietf-osids-replication-00.txt.
[Kil90b] S.E. Kille. Replication requirement to provide an internet
directory using X.500: A proposed solution, November 1990.
Internet Draft: draft-ietf-osids-replsoln-00.txt, ps.
[Kil90c] S.E. Kille. Using the osi directory to achieve user friendly
naming. Research Note RN/90/29, Department of Computer
Science, University College London, February 1990. Internet
Draft: draft-ietf-osids-friendlynaming-00.txt, ps.
[Lin89] J. Linn. Privacy Enhancement for Internet Electronic Mail:
Part 1 --- Message Encipherment and Authentication
Procedures. Request for Comments 1113, DDN Network
Information Center, SRI International, August 1989.
Kille Page 6
�
INTERNET--DRAFT Building an Internet Directory January 1991
[RC87] Marshall T. Rose and Dwight E. Cass. ISO Transport Services
on top of the TCP. Request for Comments 1006, DDN Network
Information Center, SRI International, May 1987.
11 Security Considerations
Security considerations are discussed in Section 5 of this
INTERNET--DRAFT .
12 Author's Address
Steve Kille
Department of Computer Science
University College London
Gower Street
WC1E 6BT
England
Phone: +44-71-380-7294
EMail: S.Kille@CS.UCL.AC.UK
Kille Page 7