RFC 2120 (rfc2120) - Page 2 of 14
Managing the X
Alternative Format: Original Text Document
RFC 2120 Managing the X.500 Root Naming Context March 1997
Table of Contents
1 Introduction............................................. 2
2 Migration Plan........................................... 3
3 Technical Solutions...................................... 3
4 The Fast Track Solution.................................. 4
5 The Slower Track Solution................................ 6
6 The Long Term Solution................................... 7
7 Security Considerations.................................. 8
8 Acknowledgments.......................................... 9
9 References............................................... 9
10 Author's Address........................................ 10
Annex 1 Solution Text of Defect Reports submitted to ISO/ITU-
T by the UK........................................... 11
Annex 2 Defect Report on 1993 X.500 Standard for Adding
full ACIs to DISP for Subordinate References, so that
Secure List Operation can be performed in Shadow DSAs. 12
Annex 3 Defect Report on 1997 X.500 Standard Proposing
an Enhancement to the Shadowing Agreement in order to
support 1 Level Searches in Shadow DSAs............... 14
1 Introduction
The NameFLOW-Paradise service has a proprietary way of managing the
set of first level DSAs and the root naming context. There is a
single root DSA (Giant Tortoise) which holds all of the country
entries, and the country entries are then replicated to every country
(first level) DSA and other DSAs by Quipu replication [RFC 1276] from
the root DSA. In June 1996 there were 770 DSAs replicating this
information over the Internet. The root DSA is not a feature of the
X.500 Standard [X.500 93]. It was introduced because of the non-
standard nature of the original Quipu knowledge model (also described
in RFC 1276). However, it does have significant advantages both in
managing the root naming context and in the performance of one-level
Searches of the root. Performance is increased because each country
DSA holds all the entry information of every country.
By comparison, the 1988 X.500 Standard root context which is
replicated to all the country DSAs, only holds knowledge information
and a boolean (to say if the entry is an alias or not) for each
country entry. This is sufficient to perform an insecure List
operation, but not a one-level Search operation. When access controls
were added to the 1993 X.500 Standard, the root context information
was increased (erroneously as it happens - this is the subject of
defect report 140 - see Annex 1) to hold the access controls for each
country entry, but a note in the X.500 Standard restricted its use to
the List operation, in order to remain compatible with the 1988
edition of the X.500 Standard.
Chadwick Experimental