Re: Fw: Last Call: Naming Plan for Internet Directory-Enabled Applications to Proposed Standard
Al Grimstad <alg@qsun.ho.att.com> Thu, 08 January 1998 20:34 UTC
Delivery-Date: Thu, 08 Jan 1998 15:34:10 -0500
Return-Path: agrim@qsun.ho.att.com
Received: from ns.cnri.reston.va.us (cnri [132.151.1.1]) by ns.ietf.org (8.8.7/8.8.7a) with ESMTP id PAA26315 for <ietf-archive@ietf.org>; Thu, 8 Jan 1998 15:34:09 -0500 (EST)
Received: from ns.ietf.org (ietf.org [132.151.1.19]) by ns.cnri.reston.va.us (8.8.5/8.8.7a) with ESMTP id PAA14820 for <ietf-archive@cnri.reston.va.us>; Thu, 8 Jan 1998 15:36:56 -0500 (EST)
Received: from att.com (kcgw2.att.com [192.128.133.152]) by ns.ietf.org (8.8.7/8.8.7a) with SMTP id PAA26312 for <iesg@ns.ietf.org>; Thu, 8 Jan 1998 15:34:00 -0500 (EST)
Received: by kcgw2.att.com; Thu Jan 8 14:17 CST 1998
Received: from hoccson.ho.att.com (hoccson.ho.att.com [135.16.2.30]) by kcig2.att.att.com (AT&T/GW-1.0) with SMTP id OAA16786 for <iesg@ns.ietf.org>; Thu, 8 Jan 1998 14:22:33 -0600 (CST)
Received: from qsun (cafe.ho.att.com) by hoccson.ho.att.com (4.1/EMS-1.1.1 SunOS) id AA20318; Thu, 8 Jan 98 15:38:16 EST
Message-Id: <9801082038.AA20318@hoccson.ho.att.com>
From: Al Grimstad <alg@qsun.ho.att.com>
X-Mailer: MH 6.8.3
To: ietf-ids@umich.edu, iesg@ns.ietf.org
Subject: Re: Fw: Last Call: Naming Plan for Internet Directory-Enabled Applications to Proposed Standard
In-Reply-To: Message from "Paul Leach" <paulle@microsoft.com> of "Tue, 06 Jan 1998 16:33:10 PST."References: <01bd1b03$d4d7db90$28e41fac@paulle5.ntdev.microsoft.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="----- =_aaaaaaaaaa0"
Content-Id: <20334.884291507.0@qsun.att.com>
Date: Thu, 08 Jan 1998 15:33:48 -0500
Sender: agrim@qsun.ho.att.com
... > >>The IESG has received a request from the Integrated Directory Services > >>Working Group to consider Naming Plan for Internet Directory-Enabled > >>Applications <draft-ietf-ids-dirnaming-03.txt> as a Proposed Standard. ... > First, we like the general direction inherent in the use of the "dc" > component to construct DNs that parallel the DNS naming hierarchy. This is > an extremely practical way to leverage an existing deployed resolution and > registration infrastructure. Good. > However, we have several issues with the proposal: > 1. It does not specify that one may expect to be able to resolve DNs ending > with "dc" components by resolving the corresponding DNS name to locate an > LDAP server that can then finish the DN resolution. This is an absolutely > essential piece of the picture.. We believe that this usage is implicit, but > that it should be made explicit. Absent a defined resolution mechanism, "dc" > names are no more resolvable than the "o=x,c=y" flavor. Your perspective is far, far more ambitious than just agreeing on a naming plan. It seems to demand an operational coupling between DNS and LDAP that would go way beyond the scope of the IDS group. The naming plan is focused on re-use of existing name allocations, DNS and others. The strange concept that one form of name is somehow "more resolvable" than another is totally foreign to the intentions document (and IDS, I presume). > 2. It proposes a way to construct DNs of various objects via the use of > "uid" and "cn" components as RDNs. We believe it instead should propose a > way to search for these objects via those attributes, which may or may not > be RDNs. We believe that this is both more useful and more flexible. More > useful, in that a common scenario will be to know the e-mail address of a > person, and want to find other attributes (e.g., a certificate); the > proposal does not provide any help in this scenario. More flexible, in that > it does not constrain the DNs of the objects -- especially since such > constraints are not really needed. Our experience with large numbers of > organizations is that the way they structure their name space is is very > dependent on organization dynamics, and they insist on near-complete freedom > in this regard. In other words, you don't want a naming plan. Can you guarantee that all future LDAP-enabled software will be written so flexibly that it will be entirely indifferent to the attributes used for naming? Or are you simply indifferent to such issues? All the discussion regarding searching, by the way, is completely off topic. Please check the requirements section again. > 3. It is not clear which sections are normative. For example, schema > definitions which seem to be needed for interoperabilty are defined in > section 5, which is entitled "Implementation Issues". The same section also > describes requirements on the subject name DN in SSL certificates that is in > conflict with existing defacto standards. If the described mechanism is > desirable, then it assuredly must be clearly declared to be normative to > have any hope of effecting a change in the existing procedures. First, I'm a bit confused as to the consistency of your position. Do you want "near complete freedom" or "normative" specifications? In any case, in the area of naming, what is normative is a very delicate issue. Recall that the current source for guidance in this area, X.521 Annex B is officially "not a part of the standard,", i.e. not normative. This document describes additional ways to construct names to solve problems encountered using the X.521 Annex B (and NADF) structure of DNs. It does not mandate that everyone use them to the exclusion of anything else; rather, it extends in a public way the options in DN construction. Those wanting "near-complete freedom" are always in a position to define any schema and naming plan they want. What we are shooting for here is an interoperable extension. Second, it would help if you were a bit more specific about the existing defacto standards you feel have been neglected. > As a result, we would suggest that these problems be fixed before proceeding > to Proposed Standard. > > Paul Thanks for your comments. -- al
--- Begin Message ---I should have copied this to the IDS list... -----Original Message----- From: Paul Leach <paulle@microsoft.com> To: iesg@ns.ietf.org <iesg@ns.ietf.org>; ietf@ietf.org <ietf@ietf.org> Date: Thursday, December 18, 1997 10:17 AM Subject: Re: Last Call: Naming Plan for Internet Directory-Enabled Applications to Proposed Standard > >-----Original Message----- >From: The IESG <iesg-secretary@ns.ietf.org> >To: IETF-Announce: ; <IETF-Announce: ;> >Date: Tuesday, December 16, 1997 12:10 PM >Subject: Last Call: Naming Plan for Internet Directory-Enabled Applications >to Proposed Standard > > >> >>The IESG has received a request from the Integrated Directory Services >>Working Group to consider Naming Plan for Internet Directory-Enabled >>Applications <draft-ietf-ids-dirnaming-03.txt> as a Proposed Standard. >> >>The IESG plans to make a decision in the next few weeks, and solicits >>final comments on this action. Please send any comments to the >>iesg@ietf.org or ietf@ietf.org mailing lists by December 29, 1997. >> >>Files can be obtained via >>ftp://ds.internic.net/internet-drafts/draft-ietf-ids-dirnaming-03.txt >> > First, we like the general direction inherent in the use of the "dc" component to construct DNs that parallel the DNS naming hierarchy. This is an extremely practical way to leverage an existing deployed resolution and registration infrastructure. However, we have several issues with the proposal: 1. It does not specify that one may expect to be able to resolve DNs ending with "dc" components by resolving the corresponding DNS name to locate an LDAP server that can then finish the DN resolution. This is an absolutely essential piece of the picture.. We believe that this usage is implicit, but that it should be made explicit. Absent a defined resolution mechanism, "dc" names are no more resolvable than the "o=x,c=y" flavor. 2. It proposes a way to construct DNs of various objects via the use of "uid" and "cn" components as RDNs. We believe it instead should propose a way to search for these objects via those attributes, which may or may not be RDNs. We believe that this is both more useful and more flexible. More useful, in that a common scenario will be to know the e-mail address of a person, and want to find other attributes (e.g., a certificate); the proposal does not provide any help in this scenario. More flexible, in that it does not constrain the DNs of the objects -- especially since such constraints are not really needed. Our experience with large numbers of organizations is that the way they structure their name space is is very dependent on organization dynamics, and they insist on near-complete freedom in this regard. 3. It is not clear which sections are normative. For example, schema definitions which seem to be needed for interoperabilty are defined in section 5, which is entitled "Implementation Issues". The same section also describes requirements on the subject name DN in SSL certificates that is in conflict with existing defacto standards. If the described mechanism is desirable, then it assuredly must be clearly declared to be normative to have any hope of effecting a change in the existing procedures. As a result, we would suggest that these problems be fixed before proceeding to Proposed Standard. Paul >--- End Message ---
- Re: Last Call: Naming Plan for Internet Directory… Al Grimstad
- Re: Last Call: Naming Plan for Internet Directory… Jeff.Hodges
- Re: Fw: Last Call: Naming Plan for Internet Direc… Al Grimstad
- Re: Fw: Last Call: Naming Plan for Internet Direc… Al Grimstad
- Re: Fw: Last Call: Naming Plan for Internet Direc… Al Grimstad
- Re: Fw: Last Call: Naming Plan for Internet Direc… Bruce Greenblatt
- Re: Fw: Last Call: Naming Plan for Internet Direc… Bruce Greenblatt