Re: Some Changes to LDAP ASN for SID (plus incomplete PER primer)
Steve Kille <S.Kille@isode.com> Fri, 06 May 1994 17:31 UTC
Received: from ietf.nri.reston.va.us by IETF.CNRI.Reston.VA.US id aa03337; 6 May 94 13:31 EDT
Received: from CNRI.RESTON.VA.US by IETF.CNRI.Reston.VA.US id aa03331; 6 May 94 13:31 EDT
Received: from haig.cs.ucl.ac.uk by CNRI.Reston.VA.US id aa08995; 6 May 94 13:31 EDT
Received: from bells.cs.ucl.ac.uk by haig.cs.ucl.ac.uk with local SMTP id <g.02703-0@haig.cs.ucl.ac.uk>; Fri, 6 May 1994 15:59:44 +0100
Received: from glengoyne.isode.com by bells.cs.ucl.ac.uk with Internet SMTP id <g.29264-0@bells.cs.ucl.ac.uk>; Fri, 6 May 1994 15:59:32 +0100
To: Simon E Spero <ses@tipper.oit.unc.edu>
cc: ldap@umich.edu, asid@umich.edu, osi-ds@cs.ucl.ac.uk
Subject: Re: Some Changes to LDAP ASN for SID (plus incomplete PER primer)
Phone: +44-81-332-9091
In-reply-to: Your message of Mon, 18 Apr 1994 16:13:06 -0400. <9404182013.AA05957@tipper.oit.unc.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <6463.768236329.1@glengoyne.isode.com>
Date: Fri, 06 May 1994 15:59:01 +0100
Message-ID: <6469.768236341@glengoyne.isode.com>
Sender: ietf-archive-request@IETF.CNRI.Reston.VA.US
From: Steve Kille <S.Kille@isode.com>
Simon, I've just reviewed your proposal and the subsequent discussion, and would like to comment. I think that there are various issues being tangled up together. There are three protocols being discussed. LDAP: This is the basic lightweight directory acccess mechanism. Some changes being discussed might affect this. CLDAP: A connectionless version of LDAP, targetted at looking up specific information about known objects (e.g., name to address resolution) SID: A proposed new access protocol derived from LDAP. Comments: 1) Use of PER. Clearly PER has some advantages over BER. However, all existing IETF uses of ASN.1 use BER. A switch to PER should be strongly justified. For example, if there is only a 10-20% saving for a typical 512 byte packet, I would argue strongly that the benefit does not justify the change from BER to PER. I'd like to see some numbers for typical packets so that we can see what the gains are. 2) Information and Service models. LDAP was designed as a mechanism to access X.500. LDAP functionality is a strict subset of X.500 DAP (in practice a very high percentage of the function). Because of this, LDAP can be written as a protocol only. All issues of information model, distributed operation and service specification are handled by reference to X.500. This allows LDAP to be a very tight specification. CLDAP is the same, and is made even simpler by adopting LDAP PDU definitions. If you define a protocol such as SID, which contains function not in X.500, this simplifying assumption no longer applies. A viable specification of SID would need to define: - overall information model - service definition - distributed operations These could be done relative to X.500. To be useful, it would probably also be sensible to define how a SID directory relates to the X.500 directory. 3) The need for a connection oriented version. There are clear reasons why a connection-oriented protocol is useful. Large search results and various security issues spring to mind. Proposal: 1) Leave LDAP alone. We have a working and useful protocol. Changes should be made with utmost caution, and with strong reason. 2) Proceed with Alan Young's propsal for CLDAP, possibly modulo minor changes. Rationale: - There is a clear need for CLDAP - The proposal is straightforward, and has maximum compatibility with the existing deployed LDAP - It can be done immediately I believe that getting this specification out to the world is urgent and important. I would like to see this group determine a mechanism to get this out as an RFC ASAP. 3) Proceed independently with work on SID. I have expressed my reservations, but I have no objections to others investigating this area. There are enough issues, that it is quite clear that there will not be a rapid focus. Because it defines a new directory, and not just an access mechanism, this work would not conflict with LDAP/CLDAP. Steve Kille
- Some Changes to LDAP ASN for SID (plus incomplete… Simon E Spero
- Re: Some Changes to LDAP ASN for SID (plus incomp… Tim Howes
- Re: Some Changes to LDAP ASN for SID (plus incomp… Glenn Mansfield
- Re: Some Changes to LDAP ASN for SID (plus incomp… Tim Howes
- Re: Some Changes to LDAP ASN for SID (plus incomp… Russ Wright
- Re: Some Changes to LDAP ASN for SID (plus incomp… Simon Spero
- Re: Some Changes to LDAP ASN for SID (plus incomp… Tim Howes
- Re: Some Changes to LDAP ASN for SID (plus incomp… Alan Young
- Re: Some Changes to LDAP ASN for SID (plus incomp… Tim Howes
- Re: Some Changes to LDAP ASN for SID (plus incomp… Tim Howes
- Re: Some Changes to LDAP ASN for SID (plus incomp… Alan Young
- Re: Some Changes to LDAP ASN for SID (plus incomp… Julian Onions
- Re: Some Changes to LDAP ASN for SID (plus incomp… Simon E Spero
- Re: Some Changes to LDAP ASN for SID (plus incomp… Russ Wright
- Re: Some Changes to LDAP ASN for SID (plus incomp… Mark Wahl
- Re: Some Changes to LDAP ASN for SID (plus incomp… Simon E Spero
- Re: Some Changes to LDAP ASN for SID (plus incomp… Mark Wahl
- Re: Some Changes to LDAP ASN for SID (plus incomp… Simon E Spero
- Re: Some Changes to LDAP ASN for SID (plus incomp… Tim Howes
- Re: Some Changes to LDAP ASN for SID (plus incomp… Simon E Spero
- Re: Some Changes to LDAP ASN for SID (plus incomp… Mark Wahl
- Re: Some Changes to LDAP ASN for SID (plus incomp… Mark Wahl
- Re: Some Changes to LDAP ASN for SID (plus incomp… Simon Spero
- Re: Some Changes to LDAP ASN for SID (plus incomp… Steve Kille