datatracker.ietf.org
Sign in
Version 5.3.0, 2014-04-12
Report a bug

Managing the X.500 Root Naming Context
RFC 2120

Document type: RFC - Experimental (March 1997)
Document stream: IETF
Last updated: 2013-03-02
Other versions: plain text, pdf, html

IETF State: (None)
Consensus: Unknown
Document shepherd: No shepherd assigned

IESG State: RFC 2120 (Experimental)
Responsible AD: (None)
Send notices to: No addresses provided

Network Working Group                                        D. Chadwick
Request for Comments: 2120                         University of Salford
Category: Experimental                                        March 1997

                 Managing the X.500 Root Naming Context

Status of this Memo

   This memo defines an Experimental Protocol for the Internet
   community.  This memo does not specify an Internet standard of any
   kind.  Discussion and suggestions for improvement are requested.
   Distribution of this memo is unlimited.

Abstract

   The X.500 Standard [X.500 93] has the concept of first level DSAs,
   whose administrators must collectively manage the root naming context
   through bi-lateral agreements or other private means which are
   outside the scope of the X.500 Standard.

   The NameFLOW-Paradise X.500 service has an established procedure for
   managing the root naming context, which currently uses Quipu
   proprietary replication mechanisms and a root DSA. The benefits that
   derive from this are twofold:

      - firstly it is much easier to co-ordinate the management of the
      root context information, when there is a central point of
      administration,

      - secondly the performance of one-level Search operations is
      greatly improved because the Quipu distribution and replication
      mechanism does not have a restriction that exists in the 1988 and
      1993 X.500 Standard.

   The NameFLOW-Paradise project is moving towards 1993 ISO X.500
   Standard replication protocols and wants to standardise the protocol
   and procedure for managing the root naming context which will be
   based on 1993 X.500 Standard protocols. Such a protocol and procedure
   will be useful to private X.500 domains as well as to the Internet
   X.500 public domain. It is imperative that overall system performance
   is not degraded by this transition.

   This document describes the use of 1993 ISO X.500 Standard protocols
   for managing the root context. Whilst the ASN.1 is compatible with
   that of the X.500 Standard, the actual settings of the parameters are
   supplementary to that of the X.500 Standard.

Chadwick                      Experimental                      [Page 1]
RFC 2120         Managing the X.500 Root Naming Context       March 1997

Table of Contents

   1 Introduction.............................................   2
   2 Migration Plan...........................................   3
   3 Technical Solutions......................................   3
   4 The Fast Track Solution..................................   4
   5 The Slower Track Solution................................   6
   6 The Long Term Solution...................................   7
   7 Security Considerations..................................   8
   8 Acknowledgments..........................................   9
   9 References...............................................   9
   10 Author's Address........................................  10
   Annex 1 Solution Text of Defect Reports submitted to ISO/ITU-
        T by the UK...........................................  11
   Annex 2 Defect Report on 1993 X.500 Standard for Adding
        full ACIs to DISP for Subordinate References, so that
        Secure List Operation can be performed in Shadow DSAs.  12
   Annex 3 Defect Report on 1997 X.500 Standard Proposing
        an Enhancement to the Shadowing Agreement in order to
        support 1 Level Searches in Shadow DSAs...............  14

1     Introduction

   The NameFLOW-Paradise service has a proprietary way of managing the
   set of first level DSAs and the root naming context. There is a
   single root DSA (Giant Tortoise) which holds all of the country
   entries, and the country entries are then replicated to every country
   (first level) DSA and other DSAs by Quipu replication [RFC 1276] from
   the root DSA. In June 1996 there were 770 DSAs replicating this
   information over the Internet. The root DSA is not a feature of the
   X.500 Standard [X.500 93]. It was introduced because of the non-
   standard nature of the original Quipu knowledge model (also described
   in RFC 1276). However, it does have significant advantages both in
   managing the root naming context and in the performance of one-level
   Searches of the root.  Performance is increased because each country
   DSA holds all the entry information of every country.

   By comparison, the 1988 X.500 Standard root context which is
   replicated to all the country DSAs, only holds knowledge information
   and a boolean (to say if the entry is an alias or not) for each
   country entry. This is sufficient to perform an insecure List
   operation, but not a one-level Search operation. When access controls
   were added to the 1993 X.500 Standard, the root context information
   was increased (erroneously as it happens - this is the subject of

[include full document text]