RADSA                                                         J. Coretta
Internet-Draft                                         February 29, 2024
Intended status: Experimental
Obsoletes: X660LDAP
Expires: August 27, 2024


                   The OID Directory: The RA DSA
                 draft-coretta-oiddir-radsa-00.txt

Abstract

   In service to the "OID Directory" ID series, this ID covers design
   considerations and basic requirements for the server component of
   the OID Directory Registration Authority client/server model.

   See the RADIR ID for a complete draft series manifest.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on August 27, 2024.

Copyright Notice

   Copyright (c) 2024 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.






Coretta                Expires August 27, 2024                  [Page 1]


Internet-Draft      The OID Directory: RA Server           February 2024


Table of Contents

   1. Introduction ....................................................2
      1.1. Conventions ................................................2
      1.2. Acronyms Used ..............................................2
         1.2.1. Definitions ...........................................3
      1.3. Intended Audience ..........................................3
   2. The RA DSA ......................................................3
      2.1. Defined Parameters .........................................3
      2.2. Core Capabilities ..........................................4
         2.2.1. Schema Availability ...................................4
         2.2.2. Content Facility ......................................5
         2.2.3. Access Medium .........................................5
         2.2.4. Operations ............................................5
      2.3. Optimizations ..............................................6
         2.3.1. Collective Attributes .................................6
         2.3.2. Attribute Value Uniqueness ............................6
         2.3.3. Attribute Value Constraints ...........................7
         2.3.4. Proxy Authorization ...................................7
         2.3.5. Distribution ..........................................7
         2.3.6. Root DSE Extensibility ................................8
         2.3.7. Content Replication ...................................9
   3. IANA Considerations .............................................9
   4. Security Considerations .........................................9
      4.1. Confidentiality ............................................9
      4.2. Network Exposure ...........................................9
      4.3. Access Control ............................................10
   5. References .....................................................10
      5.1. Normative References ......................................10
      5.2. Informative References ....................................11
   Author's Address ..................................................12

1.  Introduction

   The X.500 Directory System Agent represents the provider of directory
   services to be leveraged by clients.  Within the context of this ID
   series, it houses an information base and potentially extends certain
   features meant to facilitate effective management of and/or access to
   OID registration and registrant content.

1.1.  Conventions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY",
   and "OPTIONAL" in this document are to be interpreted as described
   in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in
   all capitals, as shown here.

1.2.  Acronyms Used

   See Section 1.3 of the RADIR ID for all acronym references.


Coretta                Expires August 27, 2024                  [Page 2]


Internet-Draft      The OID Directory: RA Server           February 2024


1.2.1.  Definitions

   The composite acronym "RA DSA" is hereby introduced within this ID.
   The acronym abbreviates the aforementioned 'Registration Authority
   Directory System Agent' term, which describes the 'server' component
   implied within the client/server model construct relevant to this ID
   series.

   The composite acronym "RA DIT" used throughout this ID is defined in
   Section 1.2.1 of the RADIT ID.

   The composite acronym "RA DUA" used throughout this ID is defined in
   Section 1.2.1 of the RADUA ID.

1.3.  Intended Audience

   This ID is intended for X.500/LDAP architects and administrative
   personnel tasked with designing, supporting and/or maintaining any
   number of RA DSAs within the terms of this ID series.

   General familiarity with the broad X.500/LDAP specification, as well
   as with the RASCHEMA, RADUA and RADIT IDs is STRONGLY
   RECOMMENDED.

2.  The RA DSA

   The RA DSA is a traditional X.500/LDAP server -- fully compliant with
   the core standards defined throughout ITU-T Rec. [X.500], [RFC4510],
   et al., that has been OPTIMIZED for use within the terms of this ID
   series.

2.1.  Defined Parameters

   The RA DSA MAY support either DAP or LDAP operation, or both.  No
   specific recommendations are made with regards to the nature of any
   networking elements, such as use of the OSI stack or TCP/IP.

   Native services and protocols managed in parallel by the RA DSA --
   such as DOP or DSP -- have no specific function within the terms of
   this ID series and thus are unimportant.  Replication services such
   as DISP, however, may be indicated in certain scenarios to enhance
   the performance and reliability of an implementation; a concept that
   is largely out of scope for this ID series.

   No particular software license applied to the RA DSA is assumed.

   Within the operational terms of this ID series, the RA DSA MUST fully
   support the Search and Read operations -- as executed by any RA DUAs
   interacting with the service -- for the purpose of entry retrieval as
   it pertains to registration and registrant contexts.



Coretta                Expires August 27, 2024                  [Page 3]


Internet-Draft      The OID Directory: RA Server           February 2024


   The RA DSA may or may not allow write-based operations -- such as Add
   or Modify -- to be executed by client entities.  This may be due to
   the access control model employed by the RA DSA, shadowing contexts
   or some other condition in effect.

2.2.  Core Capabilities

   The core capabilities defined in this section represent features that
   are assumed to be common to virtually any practical implementation of
   the RA DSA component.  These are REQUIRED in virtually all cases.

2.2.1.  Schema Availability

   The RA DSA cannot effectively serve or manage an RA DIT without the
   appropriate directory schema definitions.  The RA DSA MUST allow for
   the inclusion of such definitions.

   Section 2 of the RASCHEMA ID defines many suitable attribute type,
   object class and name form definitions for use in creating a viable
   RA DIT to be served by way of the RA DSA.  Examples involving use of
   these definitions can be found throughout the RADIT ID as well
   as this document.

   The RA DSA MUST have up-to-date knowledge of all attribute types and
   object classes defined in Sections 2.3 and 2.5 of the RASCHEMA ID
   respectively.  This is an absolute requirement.  The RA DSA MUST also
   be prepared to support sub typed attribute types.  See the beginning
   of Section 2.3 of the RASCHEMA ID for dependency details.

   Sections 4.1.1 and 4.1.2 of [RFC4512] and clauses 13.3.3 and 13.4.8
   of ITU-T Rec. [X.501] define the object class and attribute type
   definition syntaxes respectively.

   The inclusion of name form definitions defined in Section 2.7 of the
   RASCHEMA ID is RECOMMENDED ONLY if support for DIT structure rules
   is positive within the directory architecture.  These name forms are
   designed to enforce the certain recommended DN syntax schemes based
   on the intended directory structure, however they serve no purpose if
   they are not referenced by any DIT structure rules.

   This ID series does not officially define any DIT structure rules,
   leaving that task to RA DSA administrative personnel because of the
   significant variations in their creation that are likely to manifest
   among various implementations of this ID.

   Section 4.1.7 of [RFC4512] and clause 13.7 of ITU-T Rec. [X.501]
   cover the DIT structure rule and name form definitions.

   No DIT content rule definitions are defined within this ID series for
   the same reasons stated regarding DIT structure rules.  These types
   of definitions are better suited for tailored design rather than mass
   adoption.

Coretta                Expires August 27, 2024                  [Page 4]


Internet-Draft      The OID Directory: RA Server           February 2024


   DIT content rules are covered in Section 4.1.6 of [RFC4512] as well
   as within clause 13.8 of ITU-T Rec. [X.501].

2.2.2.  Content Facility

   The RA DSA has no practical purpose unless usable content exists and
   is facilitated in some manner, likely for consumption by clients and
   other DSAs.

   Facilitation may involve local storage of content, or distributed
   sourcing from external sources into a backend, or storage area.

   This ID makes no recommendations that specifically influence the
   design or operation of any content source facility.  These concepts,
   and the available options, may differ greatly among the various
   X.500/LDAP DSA products available today.

2.2.3.  Access Medium

   Although no specific medium or protocol is implied, this ID assumes
   that any implemented RA DSA service is accessible and fosters some
   manner of interaction with relevant individuals, entities or local
   services.

2.2.4.  Operations

   Depending on both the nature of the implementation and the RA DSA
   itself, certain operations -- such as those defined throughout ITU-T
   Rec. [X.511] and [RFC4511], et al -- to be executed by the RA DUA
   MUST be supported.

   This section identifies operations common between DAP and LDAP, and
   establishes generalized terms for the purpose of brevity throughout
   this ID.  As these operations apply to both RA DUAs and RA DSAs, they
   are cited through Sections 1.7 and 1.8 of the RADIR ID.

   Note that operations not explicitly used for any procedure defined
   in this ID series -- such as the Bind Operation -- are not covered.

   The DAP Search, DAP List and LDAP Search operations are the most
   critical of those required by the RA DUA construct, and is necessary
   for a variety of procedures involving registration and registrant
   contexts.  Often, search operations may be used as a prelude to the
   execution of other actions, such as registration allocations.

   The DAP Add Entry or LDAP Add operations represent the means of
   creating new registration and registrant entries within the RA DIT.

   The DAP Modify DN or LDAP Modify DN operations are only used within
   the terms of this ID series for the purpose of relocating submitted
   registration or registrant entries previously located in a request
   staging area following an approval process.

Coretta                Expires August 27, 2024                  [Page 5]


Internet-Draft      The OID Directory: RA Server           February 2024


   The DAP Modify Entry or LDAP Modify operations are used for the
   routine modification of authority-related contact information and
   occasionally registrations.

   The DAP Remove Entry or LDAP Delete operations are used for the
   occasional removal of registrant information, and in considerably
   rare cases the removal of registrations.

2.3.  Optimizations

   Throughout this ID series, certain specialized capabilities are cited
   in reference to a particular condition or task within the RA DIT and
   the RA DUA.  The following subsections briefly describe features that
   may be facilitated by way of the RA DSA, and how they fit into the
   "OID Directory" philosophy.

   Please note that while some of these topics are DIT focused, certain
   features must first be supported and somehow enabled within the RA
   DSA(s) in question.

   Directory architects may use these subsections when considering a
   potential X.500/LDAP directory product for use related to this ID
   series, given specific requirements.

2.3.1.  Collective Attributes

   Attribute types can be applied for an entire subtree context by way
   of collective attributes, defined within [RFC3671], [RFC3672] and
   ITU-T Rec. [X.501].

   In particularly large and mission-critical implementations of this ID
   series, this may be a CRITICAL feature.

   The RASCHEMA ID defines several collective types for use within the
   terms of this ID series.  The RADIT ID provides examples regarding
   use of the 'subtreeSpecification' type to that end.

2.3.2.  Attribute Value Uniqueness

   Depending on the indicated attribute type(s) and relative context, it
   may be necessary to limit content to singular instances within the RA
   DIT or a specific subtree.  One example of this is ensuring that only
   unique instances of the 'aSN1Notation' or 'iRI' attribute types exist
   within the relevant portions of the directory.

   If it is not possible to ensure uniqueness among specified values
   as recommended by some reasonable means, this ID series may not be
   practical for adoption in certain mission-critical scenarios.





Coretta                Expires August 27, 2024                  [Page 6]


Internet-Draft      The OID Directory: RA Server           February 2024


2.3.3.  Attribute Value Constraints

   The syntactical constraints afforded by the OID Directory schema, as
   defined in Section 2 of the RASCHEMA ID, do not thoroughly conform
   to the constraints defined by the underlying standards -- for example
   ITU-T Recommendations [X.660] and [X.680] -- upon which this ID
   series is conceptually based.  This concern is mentioned in Section
   2.1 of the RASCHEMA ID.

   Section 2.3 of the RASCHEMA ID references or defines appropriate
   ABNF productions for every attribute type defined.  This is done to
   aid adopters in constraining values to conform with originating
   standards, as opposed to reliance upon attribute syntax alone.

   If it is not possible to constrain values using the ABNF productions
   as recommended by some reasonable means, this ID series may not be
   practical for adoption in certain mission-critical scenarios.

2.3.4.  Proxy Authorization

   In certain implementations of this ID series, it may be advantageous
   for the RA DSA to support the Proxy Authorization Control [RFC4370]
   and the capability it extends.

   In scenarios where end users are authorized to modify certain entries
   for which they are authoritative or responsible in some manner, it is
   often desirable for personal details -- such as a DN reference which
   contains a full legal name -- to remain unexposed through instances
   of certain attribute types such as 'modifiersName' or 'creatorsName'
   that may be visible to a large user base.

2.3.5.  Distribution

   Though not specifically recommended through this ID series, the RA
   DIT may represent only a single component of a larger information
   base.  This may be especially common in the case of official public
   facing RAs, where the information base as a whole is fractured in the
   contexts of origin and authority.

   Depending on the implementation factors, the nature of distribution
   could manifest through any combination of referrals, chaining and
   replication.

   While no recommendations for or against any of these features can be
   made, this ID series acknowledges the likelihood and importance of
   such design strategies.  At no point in this ID series do any of the
   concepts or procedures set forth conflict with, preclude or require
   any of these capabilities.

   The concepts of the distributed directory are covered throughout
   ITU-T Rec. [X.518].  Directory replication is discussed throughout
   ITU-T Rec. [X.525].

Coretta                Expires August 27, 2024                  [Page 7]


Internet-Draft      The OID Directory: RA Server           February 2024


2.3.6.  Root DSE Extensibility

   For advertisement of optimal settings for consumption by clients in
   order to effectively interact with an RA DIT, the root DSE served by
   the relevant RA DSA(s) MUST support entry extensions of the Root DSE.

   This involves the addition of relevant attribute types extended by
   way of the 'rADUAConfig' AUXILIARY object class defined in Section
   2.5 of the RASCHEMA ID.

   RA DUAs that comply with Section 2.2.2 of the RADUA ID will attempt
   retrieval of this additive content from the root DSE -- by way of the
   Read Operation -- and will adjust their behaviors accordingly.

   The root DSE is discussed in Section 5 of [RFC4512] and in Section 10
   Clause 23.4.2 of ITU-T Rec. [X.501].

   The following subsections offer examples regarding the extension of
   the root DSE and the distinct RA DUA configuration options available.

   These examples are expressed as LDIF.  Note that other attribute type
   and object class instances unrelated to this ID series may be present
   within the root DSE and may be disregarded.

2.3.6.1.  Single RA DIT

   The following example is the partial representation of the root DSE
   as it pertains to the advertisement of RA DUA configuration settings
   for implementations involving a single RA DIT.

      dn:
      objectClass: rADUAConfig
      rARegistrationBase: ou=Registrations,o=rA

2.3.6.2.  Multiple RA DITs

   The following example is the partial representation of the root DSE
   as it pertains to the advertisement of RA DUA configuration settings
   for implementations involving multiple RA DITs.

      dn:
      objectClass: rADUAConfig
      rADITProfile: dc=example,dc=com
      rADITProfile: o=example

   The following examples are the example root suffix entries referenced
   by way of the 'rADITProfile' attribute type instances added to the
   root DSE.

   These example entries have been modified to include the 'rADUAConfig'
   AUXILIARY object class, which is expected and required by the RA DUA.


Coretta                Expires August 27, 2024                  [Page 8]


Internet-Draft      The OID Directory: RA Server           February 2024


      dn: dc=example,dc=com
      objectClass: domain
      objectClass: rADUAConfig
      rARegistrationBase: ou=Registrations,dc=example,dc=com

      dn: o=example
      objectClass: organization
      objectClass: rADUAConfig
      rARegistrationBase: ou=OIDs,o=example

   The 'domain' STRUCTURAL object class is defined in Section 3.4 of
   [RFC4524].  The 'organization' STRUCTURAL object class is defined
   in Section 3.8 of [RFC4519].

2.3.7.  Content Replication

   Depending on the desired fault tolerance of an implementation, as
   well as the authoritative layout and placement of registration data,
   use of a directory replication system -- such as DISP or some other
   proprietary solution of similar design -- may be indicated.

   This may be especially important in public-facing RA implementations
   in which various registration subtrees are sourced from appropriate
   authorities and served as shadowed information.

   DISP originates in ITU-T Rec. [X.525].

3.  IANA Considerations

   There are no requests to IANA in this document at this time.

4.  Security Considerations

4.1.  Confidentiality

   Network security mechanisms -- such as TLS or IPSEC VPN -- may be
   indicated when an RA DSA allows authenticated logins or disclosure
   of sensitive entries by authorized parties.  This is especially true
   for cases in which the RA DUA is not local to the RA DSA.

   This ID makes no recommendations regarding "Best Practices", strength
   factors or key generation strategies, nor does any of subject matter
   set forth in this ID necessarily rely on any such concepts.

4.2.  Network Exposure

   Historically, it is unusual for an X.500/LDAP service to be directly
   accessible over public networks in an overt or advertised fashion.

   While there may be precedents for this sort of exposure, this ID has
   no official position regarding this strategy.


Coretta                Expires August 27, 2024                  [Page 9]


Internet-Draft      The OID Directory: RA Server           February 2024


   Depending on the scope of implementation as well as the potential use
   of referrals and/or synchronization, limited levels of exposure could
   be required of any number of RA DSAs.

4.3.  Access Control

   It is RECOMMENDED that potentially sensitive content within an RA DIT
   -- such as any personal authority contact details or private subtrees
   of registrations -- be safeguarded from unauthorized access.

   It is also RECOMMENDED that RA DIT content modifications be limited
   only to authorized entities, such as administrative personnel and/or
   parties serving in authority for the respective entries.

   The topic of access control mechanisms available through the various
   X.500/LDAP products available today is well outside of scope for this
   ID series.  Generally, adoption of the models defined in clause 8 of
   ITU-T. Rec. [X.501], or some other mechanism, is indicated.

5.  References

5.1.  Normative References

   RADIR      Coretta, J., "The OID Directory: A Technical Roadmap",
              draft-coretta-oiddir-roadmap, February 2024.

   RADIT      Coretta, J., "The OID Directory: The RA DIT",
              draft-coretta-oiddir-radit, February 2024.

   RADUA      Coretta, J., "The OID Directory: The RA DUA",
              draft-coretta-oiddir-radua, February 2024.

   RASCHEMA   Coretta, J., "The OID Directory: The RA Schema",
              draft-coretta-oiddir-schema, February 2024.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC3671]  Zeilenga, K., "Collective Attributes in the Lightweight
              Directory Access Protocol (LDAP)", RFC 3671, December
              2003.

   [RFC3672]  Zeilenga, K., "Subentries in the Lightweight Directory
              Access Protocol (LDAP)", RFC 3672, December 2003.

   [RFC4511]  J. Sermersheim, Ed. "Lightweight Directory Access Protocol
              (LDAP): The Protocol", RFC 4511, June 2006.

   [RFC4512]  Zeilenga, K., "Lightweight Directory Access Protocol
              (LDAP): Directory Information Models", RFC 4512, June
              2006.


Coretta                Expires August 27, 2024                 [Page 10]


Internet-Draft      The OID Directory: RA Server           February 2024


   [RFC4519]  Sciberras, Ed., A., "Lightweight Directory Access Protocol
              (LDAP): Schema for User Applications", RFC 4519, June
              2006.

   [RFC4370]  Weltman, R., "Lightweight Directory Access Protocol
              (LDAP): Proxy Authorization Control", RFC 4370, February
              2006.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", RFC 8174, May 2017.

   [X.501]    International Telecommunication Union - Telecommunication
              Standardization Sector, "The Directory: Models", ITU-T
              X.501, October 2019.

   [X.511]    International Telecommunication Union - Telecommunication
              Standardization Sector, "The Directory: Abstract service
              definition", ITU-T X.511, October 2019.

   [X.518]    International Telecommunication Union - Telecommunication
              Standardization Sector, "The Directory: Procedures for
              distributed operation", ITU-T X.518, October 2019.

   [X.525]    International Telecommunication Union - Telecommunication
              Standardization Sector, "The Directory: Replication",
              ITU-T X.525, October 2019.

5.2.  Informative References

   [RFC4510]  Zeilenga, K. "Lightweight Directory Access Protocol
              (LDAP): Technical Specification Road Map", RFC 4510, June
              2006.

   [RFC4524]  Zeilenga, K., "Lightweight Directory Access Protocol
              (LDAP): COSINE LDAP/X.500 Schema", RFC 4524, June 2006.

   [X.500]    International Telecommunication Union - Telecommunication
              Standardization Sector, "The Directory: Overview of
              concepts, models and services", ITU-T X.500, October 2019.

   [X.660]    International Telecommunication Union - Telecommunication
              Standardization Sector, "General procedures and top arcs
              of the international object identifier tree", ITU-T X.660,
              July 2011.

   [X.680]    International Telecommunication Union - Telecommunication
              Standardization Sector, "Abstract Syntax Notation One
              (ASN.1): Specification of basic notation", ITU-T X.680,
              July 2002.




Coretta                Expires August 27, 2024                 [Page 11]


Internet-Draft      The OID Directory: RA Server           February 2024


Author's Address

   Jesse Coretta
   California, United States

   Email: jesse.coretta@icloud.com
















































Coretta                Expires August 27, 2024                 [Page 12]