re : X.500 -Reply
Ed Reed <Ed_Reed@novell.com> Sun, 24 September 1995 17:52 UTC
Received: from ietf.nri.reston.va.us by IETF.CNRI.Reston.VA.US id aa09426; 24 Sep 95 13:52 EDT
Received: from CNRI.Reston.VA.US by IETF.CNRI.Reston.VA.US id aa09422; 24 Sep 95 13:52 EDT
Received: from haig.cs.ucl.ac.uk by CNRI.Reston.VA.US id aa11755; 24 Sep 95 13:52 EDT
Received: from bells.cs.ucl.ac.uk by haig.cs.ucl.ac.uk with local SMTP id <g.02764-0@haig.cs.ucl.ac.uk>; Sun, 24 Sep 1995 18:22:14 +0100
Received: from nj-ums.fpk.novell.com by bells.cs.ucl.ac.uk with Internet SMTP id <g.09764-0@bells.cs.ucl.ac.uk>; Sun, 24 Sep 1995 18:21:59 +0100
Received: from INET-NJ-Message_Server by novell.com with Novell_GroupWise; Sun, 24 Sep 1995 13:18:25 -0400
Content-Length: 10169
Content-Type: text/plain
Message-ID: <s0655aa1.045@novell.com>
X-Mailer: Novell GroupWise 4.1
Date: Sun, 24 Sep 1995 13:21:26 -0400
Sender: ietf-archive-request@IETF.CNRI.Reston.VA.US
From: Ed Reed <Ed_Reed@novell.com>
To: pays@gctech.edelweb.fr, maciag@server1.deltanet.com
Cc: osi-ds@cs.ucl.ac.uk, DaveHU@novell.com, Jeff_Hawkins@novell.com, Lenley_Hensarling@novell.com, THasan@novell.com, Therron_Powell@novell.com
Subject: re : X.500 -Reply
Michael - Paul-Andre makes some good points, but I'd like to offer a few balancing comments of my own about his perspective - he's NOT working from a NOS perspective, but from a global internet perspective - how do I, in Where-ever-I-am, USA find someone who I think lives in Europe, but I'm not sure where, who has some characteristic that MIGHT be in their directory entry, but certainly is not in their naming attribute set. This is precisely the issue our friends in the LAN Email business remind us of on a regular basis, and what drives the requirement for a "context-less login", where the user knows their Relative Distinguished Name, but can't/don't want to be bothered by the hierarchy of their full distinguished name. Not an unreasonable day-to-day requirement for folks in their native environments. Note, too, that aside from his remarks about update speeds and connection-oriented limitations, his issues are with the access methods users have to deal with the directory. I disagree that access speeds for Update are inherently limiting (though any attempt at fully replicated data is foolish), but I do agree that connection-less access is required to support free-read access to public data like network addresses and perhaps email addresses. Indeed - full directory services MUST support DNS-style connectionless read operations as well as more connection-oriented browsing operations. Further, there IS a need for catalogs, distributed indexes, etc. to provide alternate ways to locate data using relational or even object oriented navigational mechanisms. X.500 and NDS (Novell's NetWare Directory Service - an X.501 model directory service) are NOT optimized for distributed SEARCH operations. Fine...build the side-car indexes to support those mechanisms...but to MANAGE the information, the hierarchy is essential. There are several contradictory requirements that all of us have for our network infrastructure: 1) data must be centralized so that search operations are fast; but 1a) data must be partitioned and distributed in order to support delegated management, local access by frequent users (locality of reference), and availability in the face of (still) unreliable wide area networks and occasionally (or permanently) disconnected users and services (ie, my portable computer or your branch office). 2) flat namespaces are the easiest to deal with from each users local perspective; but 2a) flat namespaces of user friendly names are not scaleable beyond a very limited community of cooperating users and servers; so 2b) each user wants a self configuring, entirely personalized, flat namespace - which is constructed gradually, naturally - in the way that scraps of paper can accumulate in their pocket with names and phone numbers. A user should only have to find something ONCE as long as the information remains the same...But note, too, that mail addresses of long lost lovers who leave no forwarding address need not and should not be required to notify holders of the old address...sometimes you WANT to disappear... 3) connectionless queries are great against dynamic caches of publicly readable data, but are seriously deficient when access controls and information protection are required; and 3a) to be kept up to date, data must be used, which means that sensitive data (that which you may not want your competitors or spouses or mothers to know) will be all jumbled up with it. Otherwise - the data store won't be of sufficient interest to you to invest the effort to keep it accurate. So you'll want to be able to simply say what you want to be available to whom. My conclusion is that directory services which are hierarchical, partitioned, replicated, distributed, and extensible are very valuable for a whole range of activities which the standards bodies (and their groupies) never imagined. But to make them viable you HAVE to go well beyond the standards to make them secure and manageable. And even then, no application will meet everyone's requirements for all possible uses of the data all the time. Requirements for performance, resources, portability of the applications, disconnectibility of both users and services, and for time criticality of synchronization will ALL drive you to various design alternatives. Paul-Andre must continue to be challenged to answer whether such efforts as Solo, WhoIs++, etc. are intended to REPLACE or AUGMENT resource managements systems like NDS (now) and Cairo (whenever) for general (meaning computer-as-appliance) users. How, for instance, does one manage namespaces, or refer to specific resources held in a distributed index such as Whois++ provides. I suspect that you don't - that the purpose of such mechanisms as Whois++ is to extract information from native resource managers (like NDS or X.500) and construct distributed indexes which support alternative navigation tools for users - but which themselves provide little or no resource management mechanisms of their own. So - I think X.501 model directory services provide a framework for managing namespaces and attribute information about the objects they model. Their operations are tuned for certain operations. Other operations require additional services (like Whois++) to meet their various performance and security requirements. Is X.500 dead, as PAP says? No, I don't think so. But neither is it an end in itself. Instead, its just a beginning, which provides a conventional way to organize things and manage them. But we must be prepared to make the data available via protocols and interfaces which meet the needs of the market, and not expect the market to come to us. Ed Reed >>> Paul-Andre Pays <pays@gctech.edelweb.fr> 09/23/95 12:56pm >>> You asked me to elaborate on my comments about X.500 being "not that good" at white pages type usage "not good at all" at yellow pages type usage Here is very briefly (as I consider X.500 is already dead, I cann't afford to spend more time) what I can write down. Beware this might appear as very offensive. It is, but please consider that what I attack is X.500 (for which I lost half of 5 years of my professional life :-( ) and not people or groups. My goal is to try to help people avoid the same errors and waste their time and efforts. White pages: in short lookups from "naming attributes" X.500 is at best OK for name resolution when you have the DN or a nearly exact DN if you have several naming attributes but errors or missing RDN high in the DIT, then the far too hierarchical naming structure will make X.500 unusable in practice most of the time yellow pages: searches using other attributes than RDN attributes are in general absolutely not doable with X.500 (think at looking for a guy whose name is Mike Maciag and email address maciag@server1.DELTANET.COM: you would have to search each and every database in the whole world...) in fact it is not fully X.500 specific, but there is no real yellow pages without a specific purpose pre-indexing of the searchable attributes. X.500 just does not enable this. --------- design flaws: there are many, many design flaws and I won't go into details such as NSSR and the brain-damaged aliases but just point out a few major issues 1. it is pure utopy to believe that a large scale distributed directory (eg. hundreds of millions of people, even more documents) can be a "database" ie. it can offer update functions. there is no chance to get an acceptable level of performance with all the access control and side effects overheads implied. If you want a world wide directory system, you have to forget online updates (think of the DNS). 2. the X.500 model does not allow for "non globally accepted" schema (whatever the X500 93 efforts) because DUA will just be unable to deal with entries and schema not predefined. No chance to use a large distributed X.500 with new object classes and DIT structuring. In fact the whole X.500 class concept is brain damaged too. The only schema usable will at most be the one approved by all PTTs. No chance to store your own objects, to structure your names. No chance to have user acceptable DUAs/DUIs for that. 3. the whole ADDMD concept is broken. there is no realistic way to have competing service providers share the same naming space. The NADF efforts are just unrealistic moves to try to overcome this flaw. The model is a centralistic/monopoly based model only suited to monopoly PTTs. 4. there is no chance to have a worldwide directory based on a connection oriented approach. Even if you use RFC1006 to run X.500 on top of TCP you are out of the game except for demos. your system will never scale up. Again, take the DNS example, do you believe there would be an internet with a TCP (connection oriented) DNS? the answer is definitely NO. X.500 being even more ambitious is a toy, or at most a tool between a few (<1000) PTTs and carriers. A worldwide large scale directory MUST be UDP based. -------- I will not say anything about the implementations and services They are doing there best... BTW I was one of them for years and it take me far too much time to get aware that I was blind and wasting my efforts. general purpose X.500 is simply dead. regards, -- PAP PS: as said before have the situation is not that bad if you have a close look at things such as whois++ and its centroid concept and Harvest with its gather/broker concept. _________________________________________________________________________ PAP: paul-andre.pays@gctech.edelWeb.fr tel: +33 1 34 52 00 88 fax: +33 1 34 52 25 26 GC Tech "The Globe Online and Globe ID Technology Company" http://www.globeonline.fr/ http://www.gctech.fr/
- re : X.500 -Reply Ed Reed
- Re: re : X.500 -Reply Sylvain Langlois
- Re: re : X.500 -Reply Chris Weider
- Re: re : X.500 -Reply Chris Weider