RFC 2120 (rfc2120) - Page 2 of 14

Managing the X

Alternative Format: Original Text Document
< Previous
Next >
RFC 2120         Managing the X.500 Root Naming Context       March 1997


Table of Contents

   1 Introduction.............................................   2
   2 Migration Plan...........................................   3
   3 Technical Solutions......................................   3
   4 The Fast Track Solution..................................   4
   5 The Slower Track Solution................................   6
   6 The Long Term Solution...................................   7
   7 Security Considerations..................................   8
   8 Acknowledgments..........................................   9
   9 References...............................................   9
   10 Author's Address........................................  10
   Annex 1 Solution Text of Defect Reports submitted to ISO/ITU-
        T by the UK...........................................  11
   Annex 2 Defect Report on 1993 X.500 Standard for Adding
        full ACIs to DISP for Subordinate References, so that
        Secure List Operation can be performed in Shadow DSAs.  12
   Annex 3 Defect Report on 1997 X.500 Standard Proposing
        an Enhancement to the Shadowing Agreement in order to
        support 1 Level Searches in Shadow DSAs...............  14

1     Introduction

   The NameFLOW-Paradise service has a proprietary way of managing the
   set of first level DSAs and the root naming context. There is a
   single root DSA (Giant Tortoise) which holds all of the country
   entries, and the country entries are then replicated to every country
   (first level) DSA and other DSAs by Quipu replication [RFC 1276] from
   the root DSA. In June 1996 there were 770 DSAs replicating this
   information over the Internet. The root DSA is not a feature of the
   X.500 Standard [X.500 93]. It was introduced because of the non-
   standard nature of the original Quipu knowledge model (also described
   in RFC 1276). However, it does have significant advantages both in
   managing the root naming context and in the performance of one-level
   Searches of the root.  Performance is increased because each country
   DSA holds all the entry information of every country.

   By comparison, the 1988 X.500 Standard root context which is
   replicated to all the country DSAs, only holds knowledge information
   and a boolean (to say if the entry is an alias or not) for each
   country entry. This is sufficient to perform an insecure List
   operation, but not a one-level Search operation. When access controls
   were added to the 1993 X.500 Standard, the root context information
   was increased (erroneously as it happens - this is the subject of
   defect report 140 - see Annex 1) to hold the access controls for each
   country entry, but a note in the X.500 Standard restricted its use to
   the List operation, in order to remain compatible with the 1988
   edition of the X.500 Standard.



Chadwick                      Experimental
< Previous
Next >