Comments from Christian H. on LDAP

[Erik Huizer <Erik.Huizer@surfnet.nl>]

Happy new year!

As LDAP is up for the last call on it's way to proposed standard, I have
asked a couple of people to give this a thorough review. Earlier I forwarded
Marshalls comments to the authors. Here are some more extensive comments by
Christian to whom I'm very gratefull that he has spend some time reading
through this.

I will leave it to the authors to deal with these comments. However the IESG
will not go forward with this documents until it gets a signal from the
authors or the chair that these comments have been dealt with in a
satisfactory way. 

Christians last (MAJOR) remark is of course in a league of its own. I would
like to see some discussion on that on this list. Will moving LDAP forward
in it's current form prevent us from integrating LDSP as described by
Christian somewhere in the future? Or can we safely standardise LDAP and
work the DSP part in later? Opinions?


Erik

------- Forwarded Message

Date:    Mon, 04 Jan 93 14:41:25 -0500
From:    Christian Huitema <Christian.Huitema@sophia.inria.fr>
To:      Erik Huizer <Erik.Huizer@surfnet.nl>
Subject: Re: Request

===================================================================
Comments on the LDAP proposal:
==============================

I read the LDAP proposal with interest. The general architecture is sound: it
keeps the X.500 "ASE" while removing the unnecessary overhead due to the
Session, Presentation and ROS layer. I have however a couple of minor remarks,
and one major question. The minor remarks are the following:

1- Why define IA5String ::= OCTET STRING
when it is already defined in ASN.1 as [UNIVERSAL 19] OCTET 
STRING?

2- There should be a provision to use the common authentication 
technology. In particular, one should be able to include a 
challenge/response mechanism and the use of PEM certificates.

3- Do we really need to carry the X.500 update operations over 
the network? We could probably do without!

4- There should be a provision for "batching" several messages. I dont
understand whether LDAP allows to send a query without sending a
"BIND" first; stateless operation should be allowed!

5- The request that all ids be strictly superior to all previous IDs 
is impractical. One should either use a modulo, or a restriction of 
the form "not reused...".

And now, the MAJOR problem. I dont understand the real purpose of this
proposal -- more precisely, I believe its purpose is far too limited.
It seems uniquely designed as a way to use TCP instead of T/S/P/ROS
between the DUA and the "home DSA". What of distributed operation? If
you really want to run a white page service on the Internet, nobody,
not even the servers, should be bothered with running the OSI upper
layers. You should define the representation of knowledge, and in
particular the "Continuation References" retourned in REFERALs and
Result Lists, in terms of domain names and IP addresses; this protocol
should replace DSP as well as DAP!

Think more. The hierarchical distribution of searches in X.500 is
bogus. Suppose we would want to provide a "yellow page" service. Why
not start from LDAP and try to integrate the "forward reference"
concepts of WHOIS++? LDAP could then be the first step towards a white
+ yellow pages service in the Internet.

Christian Huitema

------- End of Forwarded Message