logging in or signing up tutorial 2005 03 30 andersen Savina Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 117 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: December 27, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript News from the wonderful world of directories: News from the wonderful world of directories Erik Andersen DenmarkAgenda: Agenda The position of X.500/LDAP X.500 enhancements Concept of Friends Attributes Paging on the DSP Maximum alignment with LDAP Enhancements to Public-key and Attribute certificates Enhancements to E.115 Functional enhancements XML access The X.500/LDAP Directory: The X.500/LDAP Directory An LDAP or X.500 directory is a general purpose directory Gives a set of specifications for: how objects are represented by entries in a directory how objects represented in a directory are named how information about objects is created, organised, interrogated, updated and deleted A directory can be distributed allowing: the establishment of a global Directory information to be maintained by the owner of information a separation between public and private domains possibility for replication of informationRelationship between X.500 and LDAP (Lightweight Directory Access Protocol): Relationship between X.500 and LDAP (Lightweight Directory Access Protocol) LDAP originally developed for X.500 access Later developed own server specifications Uses the X.500 model Identical in many ways, except for syntax X.500: Full use of ASN.1 LDAP: Simple ASN.1 and Augmented Backus-Naur Form (ABNF) Most X.500 implementations support LDAP LDAP widely implemented and usedIETF LDAP V3 specifications: IETF LDAP V3 specifications RFC 3377 - Lightweight Directory Access Protocol (v3): Technical Specification RFC 2251 - Lightweight Directory Access Protocol (v3) RFC 2252 - Attribute Syntax Definitions RFC 2253 - UTF-8 String Representation of Distinguished Names RFC 2254 - The String Representation of LDAP Search Filter RFC 2255 - The LDAP URL Format RFC 2256 - A Summary of the X.500(96) User Schema for use with LDAPv3 RFC 2829 - Authentication Methods for LDAP RFC 2830 - Extension for Transport Layer Security RFC 2831 - Using Digest Authentication as a SASL Mechanism Editions of X.500 Directory Specifications: Editions of X.500 Directory Specifications Developed by ISO/IEC and ITU-T (former CCITT) as: ISO/IEC 9594 multi-part International Standard ITU-T X.500 Series of Recommendations Four editions so far: Edition 2: ISO/IEC 9594:1995 | ITU-T X.500 (1993) Edition 1: ISO/IEC 9594:1990 | CCITT X.500 (1988) Edition 3: ISO/IEC 9594:1998 | ITU-T X.500 (1997) Edition 4: ISO/IEC 9594:2001 | ITU-T X.500 (2001)X.500 5th edition enhancements: X.500 5th edition enhancements Concept of Friends Attributes Paging on the DSP Maximum alignment with LDAP Enhancements to Public-key and Attribute certificates Expected publication: During 2005Friend attributes: Friend attributes Friend attributes – possibly different syntaxes: commAddress telephoneNumber (E.164 syntax)Paged results on the DSP: Paged results on the DSP Bound DSA DSA DSA DSA DUA DAP DSP DSP DSP DSP DSP DSP Bound-DSA paged result DSP paged resultRelationship between X.500 and LDAP (Lightweight Directory Access Protocol): Relationship between X.500 and LDAP (Lightweight Directory Access Protocol) X.500 LDAPRelationship between X.500 and LDAP with maximum alignment: Relationship between X.500 and LDAP with maximum alignment X.500 LDAPMaximum X.500 alignment with LDAP: Maximum X.500 alignment with LDAP Alignment of concepts – add LDAP concepts to make LDAP concepts a subset of X.500 concepts. Simplify specifications – removal of dependency of lower layer documentation Alignment of operations (replace value) Multiple namespaces (Directory Information Trees) Directory consisting of LDAP and X.500 server mix ISO 10646 (UTF-8) matching Component matching NOTE – One way alignmentA distributed directory: A distributed directory A directory DSA LDAP server DSA DSA DSA DUA LDAP client LDAP User DUA User DAP DSP DSP LDAPMatching problem: Matching problem keyUsage = digitalSignature certificatePolicies = { … policyIdentifier = { a.b.c}} Certificate 1 Directory entry keyUsage = digitalSignature And policyIndentifier = { a b d } Filter Attribute Component matching rule: Component matching rule Evaluate to TRUE if match Can be combined by AND, OR and NOT operations in any combination and nesting level onto a particular attribute value of a particular attribute type Evaluates to TRUE if just one attribute value of the attribute type evaluates to TRUEDirectoryString: DirectoryString DirectoryString { INTEGER : maxSize } ::= CHOICE { teletexString TeletexString (SIZE (1..maxSize)), printableString PrintableString (SIZE (1..maxSize)), bmpString BMPString (SIZE (1..maxSize)), universalString UniversalString (SIZE (1..maxSize)), uTF8String UTF8String (SIZE (1..maxSize)) } ISO/IEC 10646 The base character set standard: ISO/IEC 10646 The base character set standard ISO/IEC 10646 - Universal Multiple-Octet Coded Character Set (UCS) Every character is coded in 4 octets Allows encoding of all characters used by written languages all over the world The practical realisation is specified in the Unicode standard (produced by a consortium) Supports multiple encoding formats: UTF-8 - octet oriented BMP (UCS-2) - half word oriented UTF-16 - half word oriented UCS-4 (UTF-32) - word orientedUCS coding space: UCS coding space Plane 00 of Group 00 (Basic Multilingual Plane) Group 00 Group 01 Group 7F Plane FF of Group 00 Plane 00 of Group 01 Plane 00 of Group 7F 128 groups 258 plane per group 256 rows per plane 256 cells per row UCS Transformation Format 8 (UTF-8) : UCS Transformation Format 8 (UTF-8) Defined in Annex D of ISO/IEC 10646-1 : 2003, Universal Multiple-Octet Coded Character Set (UCS) Required by (almost) all Internet specificationsFormat of octets in a UTF-8 sequence: Format of octets in a UTF-8 sequenceUTF-8: A character is represented by 1 to 6 octets One octet can represent: Row 00: Basic Latin (ASCII) Two octets can represent: Row 00: Basic Latin, Latin-1 Supplement Row 01: Latin Extended-A Rows 01-02: Latin Extended-B Row 02: IPA Extensions, Spacing Modifier Letters Row 03: Combining Diacritical Marks, Greek and Coptic Row 04: Cyrillic Row 05: Armenian, Hebrew Row 06: Arabic Row 07: Syriac, Thaana UTF-8First problem: First problem We need to compare names and values Some characters may be represented in several ways It is not possible to do a simple bitwise comparison to check if two names or values are equal!Second problem: Second problem Comparison is most often done disregarding case differences All upper case letters have to be converted to lower case letters before comparisonString preparation: String preparation Text string 2 Transcoded string 2 Transcoding Mapped string 2 Mapping Normalised string 2 NormaliseX.509 enhancements: X.509 enhancements Notice of future revocation Notice of revoked group of entries Expired certificates on CRLs Advanced certificate matching rule XML encoded privilege information Clarifications Misc. enhancements to PMI Etc.Slide26: EIDQ AssociationMembers (30 as at 17 Feb 2004): Members (30 as at 17 Feb 2004)E.115 - Computerized directory assistance: E.115 - Computerized directory assistance Operator User Local server International server E.115 protocolITU-T Rec. E.115 (2005) Computerized Directory Assistance: ITU-T Rec. E.115 (2005) Computerized Directory Assistance OSI stack removed Home grown TCP/IP support integrated in text Specifies two versions of the protocol Version 1: The 1995 edition + all agreed extensions All keywords specified in Annex Complete rewrite and restructuring of 1995 edition Added clarifications ASN.1 BER encoding Support mandatory Version 2: Keywords replaced by new fields – keyword concept no longer used Several new enhancements ASN.1 BER and XML (or ASN.1 XER) encoding Future extensions using ITU-T procedureVersion 2 design criteria: Version 2 design criteria Keep backward compatibility Unchanged fields use same tag Tags reserved for obsolete fields Common text for unchanged fields Keep ASN.1 and XML Schema Definitions (XSD) aligned ASN.1 XER encoding will produce same encoding as the XSD ASN.1 EXTENDED-XER encoding instruction used Example of ASN.1 specification: Example of ASN.1 specification InquiryPart1 ::= [ TAG: APPLICATION 0 ] IMPLICIT SET { messageIndicators [ATTRIBUTE] [TAG: 0] IMPLICIT E115String (SIZE(4)), internationalIndicator [ATTRIBUTE] [TAG: 1] IMPLICIT E115NumericString (SIZE(8)), originatingTerminalCode [ATTRIBUTE] [TAG: 2] IMPLICIT E115String (SIZE(8)), dateAndTime [ATTRIBUTE] [TAG: 3] IMPLICIT E115NumericString (SIZE(12))OPTIONAL, messageNumber [ATTRIBUTE] [TAG: 4] IMPLICIT E115String (SIZE(4)) OPTIONAL }Proximity search: Proximity search Slide33: END You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
tutorial 2005 03 30 andersen Savina Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 117 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: December 27, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript News from the wonderful world of directories: News from the wonderful world of directories Erik Andersen DenmarkAgenda: Agenda The position of X.500/LDAP X.500 enhancements Concept of Friends Attributes Paging on the DSP Maximum alignment with LDAP Enhancements to Public-key and Attribute certificates Enhancements to E.115 Functional enhancements XML access The X.500/LDAP Directory: The X.500/LDAP Directory An LDAP or X.500 directory is a general purpose directory Gives a set of specifications for: how objects are represented by entries in a directory how objects represented in a directory are named how information about objects is created, organised, interrogated, updated and deleted A directory can be distributed allowing: the establishment of a global Directory information to be maintained by the owner of information a separation between public and private domains possibility for replication of informationRelationship between X.500 and LDAP (Lightweight Directory Access Protocol): Relationship between X.500 and LDAP (Lightweight Directory Access Protocol) LDAP originally developed for X.500 access Later developed own server specifications Uses the X.500 model Identical in many ways, except for syntax X.500: Full use of ASN.1 LDAP: Simple ASN.1 and Augmented Backus-Naur Form (ABNF) Most X.500 implementations support LDAP LDAP widely implemented and usedIETF LDAP V3 specifications: IETF LDAP V3 specifications RFC 3377 - Lightweight Directory Access Protocol (v3): Technical Specification RFC 2251 - Lightweight Directory Access Protocol (v3) RFC 2252 - Attribute Syntax Definitions RFC 2253 - UTF-8 String Representation of Distinguished Names RFC 2254 - The String Representation of LDAP Search Filter RFC 2255 - The LDAP URL Format RFC 2256 - A Summary of the X.500(96) User Schema for use with LDAPv3 RFC 2829 - Authentication Methods for LDAP RFC 2830 - Extension for Transport Layer Security RFC 2831 - Using Digest Authentication as a SASL Mechanism Editions of X.500 Directory Specifications: Editions of X.500 Directory Specifications Developed by ISO/IEC and ITU-T (former CCITT) as: ISO/IEC 9594 multi-part International Standard ITU-T X.500 Series of Recommendations Four editions so far: Edition 2: ISO/IEC 9594:1995 | ITU-T X.500 (1993) Edition 1: ISO/IEC 9594:1990 | CCITT X.500 (1988) Edition 3: ISO/IEC 9594:1998 | ITU-T X.500 (1997) Edition 4: ISO/IEC 9594:2001 | ITU-T X.500 (2001)X.500 5th edition enhancements: X.500 5th edition enhancements Concept of Friends Attributes Paging on the DSP Maximum alignment with LDAP Enhancements to Public-key and Attribute certificates Expected publication: During 2005Friend attributes: Friend attributes Friend attributes – possibly different syntaxes: commAddress telephoneNumber (E.164 syntax)Paged results on the DSP: Paged results on the DSP Bound DSA DSA DSA DSA DUA DAP DSP DSP DSP DSP DSP DSP Bound-DSA paged result DSP paged resultRelationship between X.500 and LDAP (Lightweight Directory Access Protocol): Relationship between X.500 and LDAP (Lightweight Directory Access Protocol) X.500 LDAPRelationship between X.500 and LDAP with maximum alignment: Relationship between X.500 and LDAP with maximum alignment X.500 LDAPMaximum X.500 alignment with LDAP: Maximum X.500 alignment with LDAP Alignment of concepts – add LDAP concepts to make LDAP concepts a subset of X.500 concepts. Simplify specifications – removal of dependency of lower layer documentation Alignment of operations (replace value) Multiple namespaces (Directory Information Trees) Directory consisting of LDAP and X.500 server mix ISO 10646 (UTF-8) matching Component matching NOTE – One way alignmentA distributed directory: A distributed directory A directory DSA LDAP server DSA DSA DSA DUA LDAP client LDAP User DUA User DAP DSP DSP LDAPMatching problem: Matching problem keyUsage = digitalSignature certificatePolicies = { … policyIdentifier = { a.b.c}} Certificate 1 Directory entry keyUsage = digitalSignature And policyIndentifier = { a b d } Filter Attribute Component matching rule: Component matching rule Evaluate to TRUE if match Can be combined by AND, OR and NOT operations in any combination and nesting level onto a particular attribute value of a particular attribute type Evaluates to TRUE if just one attribute value of the attribute type evaluates to TRUEDirectoryString: DirectoryString DirectoryString { INTEGER : maxSize } ::= CHOICE { teletexString TeletexString (SIZE (1..maxSize)), printableString PrintableString (SIZE (1..maxSize)), bmpString BMPString (SIZE (1..maxSize)), universalString UniversalString (SIZE (1..maxSize)), uTF8String UTF8String (SIZE (1..maxSize)) } ISO/IEC 10646 The base character set standard: ISO/IEC 10646 The base character set standard ISO/IEC 10646 - Universal Multiple-Octet Coded Character Set (UCS) Every character is coded in 4 octets Allows encoding of all characters used by written languages all over the world The practical realisation is specified in the Unicode standard (produced by a consortium) Supports multiple encoding formats: UTF-8 - octet oriented BMP (UCS-2) - half word oriented UTF-16 - half word oriented UCS-4 (UTF-32) - word orientedUCS coding space: UCS coding space Plane 00 of Group 00 (Basic Multilingual Plane) Group 00 Group 01 Group 7F Plane FF of Group 00 Plane 00 of Group 01 Plane 00 of Group 7F 128 groups 258 plane per group 256 rows per plane 256 cells per row UCS Transformation Format 8 (UTF-8) : UCS Transformation Format 8 (UTF-8) Defined in Annex D of ISO/IEC 10646-1 : 2003, Universal Multiple-Octet Coded Character Set (UCS) Required by (almost) all Internet specificationsFormat of octets in a UTF-8 sequence: Format of octets in a UTF-8 sequenceUTF-8: A character is represented by 1 to 6 octets One octet can represent: Row 00: Basic Latin (ASCII) Two octets can represent: Row 00: Basic Latin, Latin-1 Supplement Row 01: Latin Extended-A Rows 01-02: Latin Extended-B Row 02: IPA Extensions, Spacing Modifier Letters Row 03: Combining Diacritical Marks, Greek and Coptic Row 04: Cyrillic Row 05: Armenian, Hebrew Row 06: Arabic Row 07: Syriac, Thaana UTF-8First problem: First problem We need to compare names and values Some characters may be represented in several ways It is not possible to do a simple bitwise comparison to check if two names or values are equal!Second problem: Second problem Comparison is most often done disregarding case differences All upper case letters have to be converted to lower case letters before comparisonString preparation: String preparation Text string 2 Transcoded string 2 Transcoding Mapped string 2 Mapping Normalised string 2 NormaliseX.509 enhancements: X.509 enhancements Notice of future revocation Notice of revoked group of entries Expired certificates on CRLs Advanced certificate matching rule XML encoded privilege information Clarifications Misc. enhancements to PMI Etc.Slide26: EIDQ AssociationMembers (30 as at 17 Feb 2004): Members (30 as at 17 Feb 2004)E.115 - Computerized directory assistance: E.115 - Computerized directory assistance Operator User Local server International server E.115 protocolITU-T Rec. E.115 (2005) Computerized Directory Assistance: ITU-T Rec. E.115 (2005) Computerized Directory Assistance OSI stack removed Home grown TCP/IP support integrated in text Specifies two versions of the protocol Version 1: The 1995 edition + all agreed extensions All keywords specified in Annex Complete rewrite and restructuring of 1995 edition Added clarifications ASN.1 BER encoding Support mandatory Version 2: Keywords replaced by new fields – keyword concept no longer used Several new enhancements ASN.1 BER and XML (or ASN.1 XER) encoding Future extensions using ITU-T procedureVersion 2 design criteria: Version 2 design criteria Keep backward compatibility Unchanged fields use same tag Tags reserved for obsolete fields Common text for unchanged fields Keep ASN.1 and XML Schema Definitions (XSD) aligned ASN.1 XER encoding will produce same encoding as the XSD ASN.1 EXTENDED-XER encoding instruction used Example of ASN.1 specification: Example of ASN.1 specification InquiryPart1 ::= [ TAG: APPLICATION 0 ] IMPLICIT SET { messageIndicators [ATTRIBUTE] [TAG: 0] IMPLICIT E115String (SIZE(4)), internationalIndicator [ATTRIBUTE] [TAG: 1] IMPLICIT E115NumericString (SIZE(8)), originatingTerminalCode [ATTRIBUTE] [TAG: 2] IMPLICIT E115String (SIZE(8)), dateAndTime [ATTRIBUTE] [TAG: 3] IMPLICIT E115NumericString (SIZE(12))OPTIONAL, messageNumber [ATTRIBUTE] [TAG: 4] IMPLICIT E115String (SIZE(4)) OPTIONAL }Proximity search: Proximity search Slide33: END