Re: info on X.500

Vincent Berkhout <V.Berkhout@dante.org.uk> Tue, 27 June 1995 12:42 UTC

Message-Id: <v0211010fac157ed8a6c0@[193.63.211.2]>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Tue, 27 Jun 1995 11:09:43 +0000
To: Kristoff Bonne <kristoff.bonne@ping.be>, osi-ds@cs.ucl.ac.uk
Sender: ietf-archive-request@IETF.CNRI.Reston.VA.US
From: Vincent Berkhout <V.Berkhout@dante.org.uk>
Subject: Re: info on X.500
Cc: meulemans@helios.iihe.rtt.be

At 21:10 26/6/95, Kristoff Bonne wrote:

> I try it here once more.

I have a feeling that this works better. Let me have a shot at it.

>I would like to ask some questions on X.500. I hope I am at the right
>place for that. I am quite a novice to X.500, so please excuse my
>(probably) misuse of words.

You're in the right place here.

>1: There already seems to exist an X.500 space. I can browse thru it
>using one of the public-domain X.500 dua's. (e.g. pixie, wax, wdua,
>..).

Yes this is correct. This X.500 name space is set up during the X.500
Directory Pilot project and nowadays DANTE tries to co-ordinate some of
this as an operational service, at least for parts of Europe. That's why my
reply :-)

>I did notice there are quite a differences between certain parts of
>the X.500 tree. Some countries (like Belgium) have very few
>organisations, each with only 1 or 2 people in it, while others (like
>Denmark) have a lot of them.

A lot of thinks happened in the past, some country (or better
organisations) have a real emphasis on the development of X.500 (or
directories) and see the importance (like SURFnet, SWITCH, etc.) and others
are not of almost not participating. This is more a political problem and
not really technical. *Directories will not succeed without management
back-up* because it is far more than setting up a DSA.
        The only thing I have to say here is watch out with sizes! Some
countries used so-called bulk load tools to do a bulk load data, especially
some universities. Some of these parts are not maintained at all! Quantity
does not say anything about the quality.

>Now, is this the final X.500 space where all organisations will be
>linked to, or is this just a 'test' and has the 'real' X.500 space
>still to be build?

At this moment we are gradually migrating from the test to the operational
phase. This means it is bit of both .. there are some parts really
maintained, unfortunately other parts :-( The great goal for the future is
on one hand technical; an infrastructure build on the real standard and on
the other side organisational; having proper agreements in place and
controlling this. It is a long way to go ... for any directory solution!

>Are there any other X.500 spaces?

NameFLOW-Paradise is your "entry point" for Europe (and for Belgium it is
Belnet) but it's target group is (was) mainly the academic and research
community. Similar X.500 spaces which are open, international and
operational, I have to disappoint you.

>Is there already a way to 'register' one-self into the X.500 space?

This is a bigger issue than you think. At this moment there is an ad hoc
approach: as long as no one used the name you can use it. A proper solution
would be a national authority who is responsible for the name space. Mind
that some countries again are far ahead in this field and have proper
authorities controlling the name space! How this is solved within Belgium
you would have to ask Nils (cc-ed).

>Also, I found -at some point of the X.500 tree- an entry called
>'internet', which looked like a 'gateway' between the X.500 space and
>internet 'services'. (?)
>Can anybody give any info on that?

It was a test to locate Internet services and stuff like that. I think you
can consider it "historical" ......

>2: In the documentation I've read on X.500, there always was a strict
>hierarchie: country -> organisation -> OrganisationUnit.
>If I look at the X.500 space, as it exists now, there are a lot of
>different hierarchies. Some examples:
>- l=europe, o=eunet,

There are a few organisations that certainly do not belong to any country
such as the European space agency. The locality Europe is introduced to
place these organisations. At this moment there is a project called TOPOL
funded by the EEMA to look into these matters of naming, especially the
root naming. (project currently run by <r.molesworth@logica.co.uk>)

>- c=be, st=west-vlaanderen, l=oostende

There is a difference between a residential and an organigram (?) structure.

>I even found people, right under the 'world'-level. (?)

There should not be any, can you tell me who?

>Now, did the documentation I read oversimpify things, or are that only
>'irregularities' in the X.500 space?

I think X.500 allows you to do pretty much, however there are some
guidelines specified in RFC 1617 to keep it in control.

>If the non-existance of a hierarchy is a fact, hao does one how about
>the search such a 'database'?

Clever user agents with good search algorithms like "de". (telnet
nameflow.dante.net, login dua)

>Also, say I want to set up a X.500 server, and make it parts of the
>X.500 space. Where does one 'register' the server? Where does one
>'connect' the server to the X.500 space? What part of the 'tree' a put
>myself under?

In principle on level up. As long as there are no official country nodes,
the r&d community run these nodes and you could ask them to connect. In the
future there could be an alternative to country nodes or even different
DITs as commercial organisations could stand up and provide these directory
services. The most common  thing to do is to set up a server for an
organisation and put "cn=myself" under it.

>3: How does X.500 handle the fact that an object can/should be at more
>places in the X.500 space? (Can it?)

Aliasing or naming links. A short p[aper written by David Chadwick was
produced for the last NameFLOW meeting and is available on the web
<http://www.dante.net/np/multi.html>.
.
>E.g. Is there a way to register a person (as an example of an object)
>twice: once as an employee of a firm (c=be, o=belgacom, cn=Kristoff
>Bonne), and as a 'private' person (c=be, s=west-vlaanderen,
>l=oostende, cn=Kristoff Bonne).
>Is there a way to 'link' those two objects, but still have a
>distinction between them?

see paper, it provides three scenarios. Being pessimistic: the future will
bring us all three :-(

>4: How does X.500 handle the fact that object can 'move'? Is there a
>mechanisme to find back an objects (say a person), after they have
>moved to another location in the X.500 tree? (say she/he went to work
>for another company, or moved to another town??)

Yes, you could use an alias ....
Now, there are no bi-directional pointers and you will need some kind of
"search engine" to check correctness and this is virtually impossible. This
is explained by Paul Barker in <http://www.dante.net/np/papers.html> X.500
Index DSAs which could provide a solution to this problem.

>Same questions for when a complete 'branch' of the tree moves? How
>does one X.500 handle the fact that (e.g.) a company can be taken over
>by another company and should be moved from (c=XX, o=YY) to (c=AA,
>o=BB, ou=YY)?

There is a difference between the informational and the functional model.
The only thing that changes is the dir. management domain. In real life you
would "unplug" you're part of the DIT and "hook" it under o=BB.

>5: I have heard somewhere there is being worked on 'extentions' to
>X.500 (called X.509 (?)), which can/will be used to set up a worldwide ,
>public/private-keysystem. Can anybody give any info on that and say
>how far X.509 is from a practical use?

Project Long Bud was seriously involved in X.509 security and the most
recent thing I know is RFC 1802 which gives an introduction to this
project.

Hope this helps a bit,

                        Vinc&

info on X.500 Kristoff Bonne
Re: info on X.500 Vincent Berkhout
Re: info on X.500 Kristoff Bonne
Re: info on X.500 Alan Wong