Tutorial 2005 03 30 Andersen

Uploaded from authorPOINT Lite
Download as
 PPT
Presentation Description 

No description available

Comments Sign in to comment
Embed URL Thumbnail


Custom Embed WordPress Embed

Happy Thanksgiving
What's up on authorSTREAM?
Views: 62
Like it  ( Likes) Dislike it  ( Dislikes)
Added: December 27, 2007 This Presentation is Public 
Presentation Category : Entertainment All Rights Reserved
Presentation Transcript

News from the wonderful world of directories: News from the wonderful world of directories Erik Andersen Denmark


Agenda: Agenda The position of X.500/LDAP X.500 enhancements Concept of Friends Attributes Paging on the DSP Maximum alignment with LDAP Enhancements to Public-key and Attribute certificates Enhancements to E.115 Functional enhancements XML access


The X.500/LDAP Directory: The X.500/LDAP Directory An LDAP or X.500 directory is a general purpose directory Gives a set of specifications for: how objects are represented by entries in a directory how objects represented in a directory are named how information about objects is created, organised, interrogated, updated and deleted A directory can be distributed allowing: the establishment of a global Directory information to be maintained by the owner of information a separation between public and private domains possibility for replication of information


Relationship between X.500 and LDAP (Lightweight Directory Access Protocol): Relationship between X.500 and LDAP (Lightweight Directory Access Protocol) LDAP originally developed for X.500 access Later developed own server specifications Uses the X.500 model Identical in many ways, except for syntax X.500: Full use of ASN.1 LDAP: Simple ASN.1 and Augmented Backus-Naur Form (ABNF) Most X.500 implementations support LDAP LDAP widely implemented and used


IETF LDAP V3 specifications: IETF LDAP V3 specifications RFC 3377 - Lightweight Directory Access Protocol (v3): Technical Specification RFC 2251 - Lightweight Directory Access Protocol (v3) RFC 2252 - Attribute Syntax Definitions RFC 2253 - UTF-8 String Representation of Distinguished Names RFC 2254 - The String Representation of LDAP Search Filter RFC 2255 - The LDAP URL Format RFC 2256 - A Summary of the X.500(96) User Schema for use with LDAPv3 RFC 2829 - Authentication Methods for LDAP RFC 2830 - Extension for Transport Layer Security RFC 2831 - Using Digest Authentication as a SASL Mechanism


Editions of X.500 Directory Specifications: Editions of X.500 Directory Specifications Developed by ISO/IEC and ITU-T (former CCITT) as: ISO/IEC 9594 multi-part International Standard ITU-T X.500 Series of Recommendations Four editions so far: Edition 2: ISO/IEC 9594:1995 | ITU-T X.500 (1993) Edition 1: ISO/IEC 9594:1990 | CCITT X.500 (1988) Edition 3: ISO/IEC 9594:1998 | ITU-T X.500 (1997) Edition 4: ISO/IEC 9594:2001 | ITU-T X.500 (2001)


X.500 5th edition enhancements: X.500 5th edition enhancements Concept of Friends Attributes Paging on the DSP Maximum alignment with LDAP Enhancements to Public-key and Attribute certificates Expected publication: During 2005


Friend attributes: Friend attributes Friend attributes – possibly different syntaxes: commAddress telephoneNumber (E.164 syntax)


Paged results on the DSP: Paged results on the DSP Bound DSA DSA DSA DSA DUA DAP DSP DSP DSP DSP DSP DSP Bound-DSA paged result DSP paged result


Relationship between X.500 and LDAP (Lightweight Directory Access Protocol): Relationship between X.500 and LDAP (Lightweight Directory Access Protocol) X.500 LDAP


Relationship between X.500 and LDAP with maximum alignment: Relationship between X.500 and LDAP with maximum alignment X.500 LDAP


Maximum X.500 alignment with LDAP: Maximum X.500 alignment with LDAP Alignment of concepts – add LDAP concepts to make LDAP concepts a subset of X.500 concepts. Simplify specifications – removal of dependency of lower layer documentation Alignment of operations (replace value) Multiple namespaces (Directory Information Trees) Directory consisting of LDAP and X.500 server mix ISO 10646 (UTF-8) matching Component matching NOTE – One way alignment


A distributed directory: A distributed directory A directory DSA LDAP server DSA DSA DSA DUA LDAP client LDAP User DUA User DAP DSP DSP LDAP


Matching problem: Matching problem keyUsage = digitalSignature certificatePolicies = { … policyIdentifier = { a.b.c}} Certificate 1 Directory entry keyUsage = digitalSignature And policyIndentifier = { a b d } Filter Attribute


Component matching rule: Component matching rule Evaluate to TRUE if match Can be combined by AND, OR and NOT operations in any combination and nesting level onto a particular attribute value of a particular attribute type Evaluates to TRUE if just one attribute value of the attribute type evaluates to TRUE


DirectoryString: DirectoryString DirectoryString { INTEGER : maxSize } ::= CHOICE { teletexString TeletexString (SIZE (1..maxSize)), printableString PrintableString (SIZE (1..maxSize)), bmpString BMPString (SIZE (1..maxSize)), universalString UniversalString (SIZE (1..maxSize)), uTF8String UTF8String (SIZE (1..maxSize)) }


ISO/IEC 10646 The base character set standard: ISO/IEC 10646 The base character set standard ISO/IEC 10646 - Universal Multiple-Octet Coded Character Set (UCS) Every character is coded in 4 octets Allows encoding of all characters used by written languages all over the world The practical realisation is specified in the Unicode standard (produced by a consortium) Supports multiple encoding formats: UTF-8 - octet oriented BMP (UCS-2) - half word oriented UTF-16 - half word oriented UCS-4 (UTF-32) - word oriented


UCS coding space: UCS coding space Plane 00 of Group 00 (Basic Multilingual Plane) Group 00 Group 01 Group 7F Plane FF of Group 00 Plane 00 of Group 01 Plane 00 of Group 7F 128 groups 258 plane per group 256 rows per plane 256 cells per row


UCS Transformation Format 8 (UTF-8) : UCS Transformation Format 8 (UTF-8) Defined in Annex D of ISO/IEC 10646-1 : 2003, Universal Multiple-Octet Coded Character Set (UCS) Required by (almost) all Internet specifications


Format of octets in a UTF-8 sequence: Format of octets in a UTF-8 sequence


UTF-8: A character is represented by 1 to 6 octets One octet can represent: Row 00: Basic Latin (ASCII) Two octets can represent: Row 00: Basic Latin, Latin-1 Supplement Row 01: Latin Extended-A Rows 01-02: Latin Extended-B Row 02: IPA Extensions, Spacing Modifier Letters Row 03: Combining Diacritical Marks, Greek and Coptic Row 04: Cyrillic Row 05: Armenian, Hebrew Row 06: Arabic Row 07: Syriac, Thaana UTF-8


First problem: First problem We need to compare names and values Some characters may be represented in several ways It is not possible to do a simple bitwise comparison to check if two names or values are equal!


Second problem: Second problem Comparison is most often done disregarding case differences All upper case letters have to be converted to lower case letters before comparison


String preparation: String preparation Text string 2 Transcoded string 2 Transcoding Mapped string 2 Mapping Normalised string 2 Normalise


X.509 enhancements: X.509 enhancements Notice of future revocation Notice of revoked group of entries Expired certificates on CRLs Advanced certificate matching rule XML encoded privilege information Clarifications Misc. enhancements to PMI Etc.


Slide26: EIDQ Association


Members (30 as at 17 Feb 2004): Members (30 as at 17 Feb 2004)


E.115 - Computerized directory assistance: E.115 - Computerized directory assistance Operator User Local server International server E.115 protocol


ITU-T Rec. E.115 (2005) Computerized Directory Assistance: ITU-T Rec. E.115 (2005) Computerized Directory Assistance OSI stack removed Home grown TCP/IP support integrated in text Specifies two versions of the protocol Version 1: The 1995 edition + all agreed extensions All keywords specified in Annex Complete rewrite and restructuring of 1995 edition Added clarifications ASN.1 BER encoding Support mandatory Version 2: Keywords replaced by new fields – keyword concept no longer used Several new enhancements ASN.1 BER and XML (or ASN.1 XER) encoding Future extensions using ITU-T procedure


Version 2 design criteria: Version 2 design criteria Keep backward compatibility Unchanged fields use same tag Tags reserved for obsolete fields Common text for unchanged fields Keep ASN.1 and XML Schema Definitions (XSD) aligned ASN.1 XER encoding will produce same encoding as the XSD ASN.1 EXTENDED-XER encoding instruction used


Example of ASN.1 specification: Example of ASN.1 specification InquiryPart1 ::= [ TAG: APPLICATION 0 ] IMPLICIT SET { messageIndicators [ATTRIBUTE] [TAG: 0] IMPLICIT E115String (SIZE(4)), internationalIndicator [ATTRIBUTE] [TAG: 1] IMPLICIT E115NumericString (SIZE(8)), originatingTerminalCode [ATTRIBUTE] [TAG: 2] IMPLICIT E115String (SIZE(8)), dateAndTime [ATTRIBUTE] [TAG: 3] IMPLICIT E115NumericString (SIZE(12))OPTIONAL, messageNumber [ATTRIBUTE] [TAG: 4] IMPLICIT E115String (SIZE(4)) OPTIONAL }


Proximity search: Proximity search


Slide33: END