Peter,
Glad to see that you have reverted to a more compact e-mail address!
After rereading my reply to you, written at the end of a long day, it
comes across as a bit of a flame. None was really intended. (At least
now. Then, maybe! :-)
I have only attended one NADF meeting, so I am _hardly_ in a position
to speak with any confidence or authority. Up to that point, I was
of the impression that the NADF was a "real" organization, and that
someone/somehow/somewhere was trying to coordinate their activities
with all of the rest of the multitudiness standards and pilot projects.
Again, based only on one meeting, I think I overestimated. At present,
the NADF isn't even a legally incorporated organization. (This
troubles me a little -- maybe I'm too cautious, but when a group of
carriers get together outside of an official conference to discuss almost
anything at all, I start looking over my shoulder for antitrust lawyers.)
What did become obvious at the meeting was that the PEM and the
X.500 crowds were very far from having a common understanding of
any intended purpose for some of the Distinguished Name constructs,
a feeling that has been reinforced by discussions with Hoyt Kesterson
who wrote X.509.
For example, Hoyt, Steve Kent, Sead Muftic and I met in Steve's office
after one of the ABA meetings, and tried to work out some DN semantic
conventions regarding organizations with foreign subsidiaries, overseas
workers, branch offices in other states, etc., just to give some guidance
to CAs and PCAs as to how to handle such occurances. Further
research has shown that the process of registering an organization
at the state level is more complicated than we thought, and I am
still working on that paper.
At the NADF meeting, I discovered that the conventional wisdom was
that organizations might very well want to have a listing (in the white
pages or yellow pages sense) in a state other than the state or country in
which they are incorporated and/or are doing business. Lloyds of London
might wish to have a listing in the New York, Los Angeles, and
Chicago directories, etc., even though they don't have offices there,
just so people in those cities can find them more easily. This made such
good business sense, but was so different from what we had been
assuming in the PEM/PCA arena, that it blew my mind.
Another point that became obvious was that the schemas and subschemas
that I thought were reasonably firm, are in fact not at all firm, and
individual ADDMDs and PRDMDs are perfectly free to set up their own, any
way they like.
So to take my previous example, I suppose that we could have something
like
C=US, S=New York, L=New York City, O=Lloyds of London
even though they were not incorporated or registered, even at the locality
level within NYC.
In a white pages listing, the above would be a perfectly valid DN by
which to locate the firm, but it surely wouldn't satisfy my expectations
as to what a DN in an X.509 certificate should contain or imply.
In the X.500 directory, of course, you would find additional attributes,
including their "real" address of C=UK, L=London, O=Lloyds of London,
streetAddress=Picadilly Circus(?), postalCode=xxx yyy, telephone=nnnnn,
etc. Unfortunately, we can't put those additional, useful attributes in the
x.509 certificate. (Deja vu all over again.)
The primary entry concerning Lloyds of London would presumably be
held by an ADDMD in the UK, while the NYC listing might be held by
AT&T, and the Los Angeles listing by MCI. It isn't clear to me whether
these listings would be aliases of the primary entry, or whether they
would be "real" enries in thier own right.
Now back to the IETF, the NADF, and all of the other standards bodies.
Ella Gardner sent the following to me, from
Tim Howes <tim(_at_)terminator(_dot_)rs(_dot_)itd(_dot_)umich(_dot_)edu>
----------------------
At the last IETF the OSI-DS working group was disbanded, and as part of
the effort to reorganize the white pages/directory service efforts that
are happening, Erik asked me to write up a proposal for a new working
group that would be a home for many of these efforts. My first cut
at this charter is appended. The group is meant to attack the white
pages/directory service problem from the perspective set forth in the
recent "White Pages Meeting Report", RFC 1588.
Now, I'm asking for your feedback. I will incorporate any changes I
receive before Monday, March 14. Then I will submit the charter to
Erik and John, our applications area co-directors. In particular, I'd
like some input on milestones. But anything is fair game at this
point, so don't hold back!
The charter will also likely undego modification based on the outcome
of the WPS BOF at the upcoming IETF. -- Tim
Lightweight Internet Directory Services Charter
There is a clear need to provide and deploy a well managed Directory Service
for the Internet. Especially a so called White Pages Directory Service is
long overdue. Due to the very nature of such a service it needs to be based
on a distributed database approach.
Currently there are various protocols under development in the Internet that
aim at providing such a service: internet X.500, WHOIS++, NETFIND, CSO etc.
To allow these services to evolve to a ubiquitous Internet Directory Service
a hybrid system that allows interaction between the various different
services is a requirement.
The LIDS working group will identify the need for, define, evolve, and
standardize lightweight protocols, algorithms and accesss methods for
directory services on the Internet. Similar or related work items
already completed or underway in this area by other groups include the
Lightweight Directory Access Protocols (LDAP and Connectionless LDAP),
the User Friendly Naming (UFN) and User Friendly Searching (UFS)
specifications (all developed for internet X.500), much of the
World-Wide-Web-based efforts, including the Hypertext Transfer Protocol
(HTTP) and URL/URI work, the SOLO directory access and searching
system, the WHOIS++ directory service work, and the NETFIND directory
service. The group is intended to focus on harmonizing, evolving and
developing lightweight protocols and algorithms from all areas of
directory service, both ad hoc and standards-based, and it is expected
that this will ultimately contribute to a hybrid system that ties
together various forms of Directory Service.
Milestones
SOLO Internet Draft published
SOLO Internet Draft elevated to Proposed Internet
Standard status
CLDAP Internet Draft elevated to Proposed Internet
Standard status
X.500 URL draft published
LDAP URL draft published
SOLO URL draft published
Stand-alone LDAP draft published (LDAP without X.500)
----------------------------------
At this point I am totally confused as to where we should be going, so
I will ask some provocative questions, in the spirit of those you raised:
1. Does the PEM community still consider the integration with X.500
directory services to be our long term goal? (I hope so, because I see
X.500 being used for other PKC infrastructure initiatives, some of which do
not involve e-mail or even the Internet, so solutions like WHOIS++, DNS,
etc. would not be as useful.)
2. Assuming that we wish to stay approximately within the fold of X.500,
at least long term, do we still wish to be bound and constrained by
the current structure of X.509? (I continue to think not. The
inability of X.509 to contain nondistinguished attributes is becoming
an increasingly obvious problem -- for example the e-mail
address issue and the directory problem I discussed above.)
3. Do we still value the concept of nonrepudiation, with reasonably
strong authentication of an individual's identity, if not authorization?
(I hope so.)
4. Do we still believe in the concept of a top-down certification
hierarchy, at least for identity? Or is the issue of implied trust so
important that we should go to a bottom-up model, even for identity
only? (I'm not sure. I _think_ that both of these approaches can
be accommodated by a judicious use of controls over the local certificate
cache, but a solid intellectual underpinning hasn't been written yet.)
5. Given the proliferation of attributes emanating from various standards
groups and others, do we have any confidence that Directory User Agents
will ever be able to keep up with them all? And given that most DUAs
are focussed on the human-readable presentation of directory
information, do we have any confidence that we will be able to integrate
a PEM UA with a DUA and a mailer UA at any time in the near future?
6. does the current reference implementation of PEM provide a sufficient
and workable bais with which to evaluate these concepts and motivate
commercial vendors to produce products, or should be go back to the
drawing board for at least some revisions?
Comments?
Bob