summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc1943.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc1943.txt')
-rw-r--r--doc/rfc/rfc1943.txt1235
1 files changed, 1235 insertions, 0 deletions
diff --git a/doc/rfc/rfc1943.txt b/doc/rfc/rfc1943.txt
new file mode 100644
index 0000000..504411b
--- /dev/null
+++ b/doc/rfc/rfc1943.txt
@@ -0,0 +1,1235 @@
+
+
+
+
+
+
+Network Working Group B. Jennings
+Request for Comments: 1943 Sandia National Laboratory
+Category: Informational May 1996
+
+
+ Building an X.500 Directory Service in the US
+
+Status of this Memo
+
+ This memo provides information for the Internet community. This memo
+ does not specify an Internet standard of any kind. Distribution of
+ this memo is unlimited.
+
+Abstract
+
+ This document provides definition and recommends considerations that
+ must be undertaken to operate a X.500 Directory Service in the United
+ States. This project is the work performed for the Integrated
+ Directory Services Working Group within the Internet Engineering Task
+ Force, for establishing an electronic White Pages Directory Service
+ within an organization in the US and for connecting it to a wide-area
+ Directory infrastructure.
+
+ Establishing a successful White Pages Directory Service within an
+ organization requires a collaborative effort between the technical,
+ legal and data management components of an organization. It also
+ helps if there is a strong commitment from the higher management to
+ participate in a wide-area Directory Service.
+
+ The recommendations presented in the document are the result of
+ experience from participating in the Internet White Pages project.
+
+Table of Contents
+
+ 1.0 Introduction 2
+ 1.1 Purpose of this Document 2
+ 1.2 Introduction to Directory Services 2
+ 2.0 The X.500 Protocol 4
+ 2.1 Introduction 4
+ 2.2 Directory Model 4
+ 2.3 Information Model 5
+ 2.4 Benefits and Uses for X.500 Directory Service 6
+ 2.5 Other Applications of X.500 7
+ 3.0 Legal Issues 8
+ 3.1 Introduction 8
+ 3.2 Purpose of the Directory 8
+ 3.3 User Rights 9
+ 3.4 Data Integrity 9
+
+
+
+Jennings Informational [Page 1]
+
+RFC 1943 Building an X.500 Directory Service in the US May 1996
+
+
+ 3.5 Protection of the Data 10
+ 3.6 Conclusions 10
+ 4.0 Infrastructure 11
+ 4.1 Introduction 11
+ 4.2 A Well Maintained Infrastructure 11
+ 4.3 DUA Interfaces for End Users 12
+ 5.0 Datamanagement & Pilot Projects 13
+ 5.1 Simple Internet White Pages Service 13
+ 5.2 InterNIC 13
+ 5.3 ESnet 14
+ 6.0 Recommendations 14
+ 6.1 General 14
+ 6.2 Getting Started 14
+ 6.3 Who are the Customers 14
+ 6.4 What are the Contents of the Directory 15
+ 6.5 What are the Rights of the Individuals 15
+ 6.6 Data Integrity 16
+ 6.7 Data Security 16
+ 6.8 Data Administration 17
+ 6.9 Conclusion 17
+ 7.0 References 18
+ 8.0 Glossary 19
+ 9.0 Security Considerations 22
+ 10.0 Author's Address 22
+
+1.0 Introduction
+
+1.1 Purpose of this Document
+
+ This document provides an introduction for individuals planning to
+ build a directory service for an organization in the US. It presents
+ an introduction to the technical, legal, and organizational aspects
+ of a directory service. It describes various options to organizations
+ who want to operate an X.500 Directory service and illustrates these
+ with examples of current X.500 service providers.
+
+1.2 Introduction to Directory Services
+
+ An electronic directory server is an electronic process that provides
+ a list of information provided via electronic access. This
+ information is variable in content, however it should be explicitly
+ defined by the directory purpose. Information about people,
+ organizations, services, network hardware are just a few examples of
+ data content that a directory service can provide. The aim of an
+ X.500 Directory service is to make using the directory intuitive and
+ as easy to use as calling for directory assistance. The X.500
+ Directory service is an international standard ratified by the
+ International organization for Standardization (IS) and the ITU-T
+
+
+
+Jennings Informational [Page 2]
+
+RFC 1943 Building an X.500 Directory Service in the US May 1996
+
+
+ International Telecommunication Union formerly (CCITT) in 1988 [1].
+
+ The Directory is intended to be global service comprised of
+ independently operated and distributed Directory Service Agents
+ (DSAs), that provide information in the form of a White Pages Phone
+ Directory.
+
+ Electronic mail communication benefits from the existence of a global
+ electronic White Pages to allow network users to retrieve addressing
+ information in an intuitive fashion. Manual searching for names and
+ addresses, specifically electronic addresses, can take a great deal
+ of time. A White Pages directory service can enable network users to
+ retrieve the addresses of communication partners in a user friendly
+ way, using known variables such as common name, surname, and
+ organization to facilitate various levels of searches.
+
+ In order to make global communication over computer networks work
+ efficiently, a global electronic White Pages service is
+ indispensable. Such a directory service could also contain telephone
+ and fax numbers, postal addresses as well as platform type to
+ facilitate in translation of documents between users on different
+ systems. An electronic White Pages may prove to be useful for
+ specific local purposes; replacing paper directories or improving
+ quality of personnel administration for example. An electronic
+ directory is much easier to produce and more timely than paper
+ directories which are often out of date as soon as they are printed.
+
+ The Internet White Pages Project provides many companies in the US
+ with an opportunity to pilot X.500 in their organizations.
+ Operating as a globally distributed directory service, this project
+ allows organizations in a wide variety of industry type to make
+ themselves known on the Internet and to provide access to their staff
+ as desired.
+
+ Some organizations, such as ESnet agreed to manage directory
+ information for other organizations. ESnet maintains data at their
+ site for all the national laboratories. They provide assistance to
+ organizations in defining their directory information tree (DIT)
+ structure. They also provide free access to the X.500 Directory via
+ Gopher, WWW, DUAs, whois and finger protocols.
+
+ The InterNIC is another directory services provider on the Internet.
+ To date [June 1995] they hold X.500 directory data for 52
+ organizations and provide free access to this data via various
+ protocols: X.500 DUA, E-Mail, whois, Gopher and WWW.
+
+ To find the most current listing of X.500 providers see RFC 1632 -
+ Catalog of Available X.500 Implementations [2].
+
+
+
+Jennings Informational [Page 3]
+
+RFC 1943 Building an X.500 Directory Service in the US May 1996
+
+
+2.0 The X.500 Protocol
+
+2.1 Introduction
+
+ This chapter provides the basic technical information necessary for
+ an organization to begin deploying an X.500 Directory Service. It
+ provides a brief introduction to the X.500 protocol and the
+ possibilities that X.500 offers.
+
+2.2 The Directory Model
+
+ X.500 Directory Model is a distributed collection of independent
+ systems which cooperate to provide a logical data base of information
+ to provide a global Directory Service. Directory information about a
+ particular organization is maintained locally in a Directory System
+ Agent (DSA). This information is structured within specified
+ standards. Adherence to these standards makes the distributed model
+ possible. It is possible for one organization to keep information
+ about other organizations, and it is possible for an organization to
+ operate independently from the global model as a stand alone system.
+ DSAs that operate within the global model have the ability to
+ exchange information with other DSAs by means of the X.500 protocol.
+
+ DSAs that are interconnected form the Directory Information Tree
+ (DIT). The DIT is a virtual hierarchical data structure. An X.500
+ pilot using QUIPU software introduced the concept of a "root" DSA
+ which represents the world; below which "countries" are defined.
+ Defined under the countries are "organizations". The organizations
+ further define "organizational units" and/ or "people". This DIT
+ identifies the DIT for the White Pages X.500 services.
+
+ Each DSA provides information for the global directory. Directories
+ are able to locate in the hierarchical structure discussed above,
+ which DSA holds a certain portion of the directory. Each directory
+ manages information through a defined set of attributes and in a
+ structure defined as the Directory Information Base (DIB).
+
+ A DSA is accessed by means of a Directory User Agent (DUA). A DUA
+ interacts with the Directory by communicating with one or more DSAs
+ as necessary to respond to a specific query. DUAs can be an IP
+ protocol such as whois or finger, or a more sophisticated application
+ which may provide Graphical User Interface (GUI) access to the DSA.
+ Access to a DSA can be accomplished by an individual or automated by
+ computer application.
+
+
+
+
+
+
+
+Jennings Informational [Page 4]
+
+RFC 1943 Building an X.500 Directory Service in the US May 1996
+
+
+2.3 The Information Model
+
+ In addition to the Directory Model, the X.500 standard defines the
+ information model used in the Directory Service. All information in
+ the Directory is stored in "entries", each of which belong to at
+ least one "object class". In the White Pages application of X.500
+ object classes are defined as country, organization, organizational
+ unit and person.
+
+ The object classes to which an entry belongs defines the attributes
+ associated with a particular entry. Some attributes are mandatory
+ others are optional. System administrators may define their own
+ attributes and register these with regulating authorities, which will
+ in turn make these attributes available on a large scale.
+
+ Every entry has a Relative Distinguished Name (RDN), which uniquely
+ identifies the entry. A RDN is made up of the DIT information and the
+ actual entry.
+
+ The Directory operates under a set of rules know as the Directory
+ schema. This defines correct utilization of attributes, and ensures
+ an element of sameness throughout the global Directory Service.
+
+ Under the White Pages object class "Person" there are three mandatory
+ attributes:
+
+ objectClass commonName surName
+
+ These attributes along with the DIT structure above, define the RDN.
+
+ An example of an entry under Sandia National Laboratory is shown
+ here: @c=US@o=Sandia National Laboratory@ou=Employees@cn=Barbara
+ Jennings
+
+ root
+ / \
+ / \
+ c=US c=CA
+ / \
+ / \
+ o=Sandia National o=ESnet
+ Laboratory
+ / \
+ / \
+ ou=Employees ou=Guests
+ / \
+ / \
+ cn=Barbara Jennings cn=Paul Brooks
+
+
+
+Jennings Informational [Page 5]
+
+RFC 1943 Building an X.500 Directory Service in the US May 1996
+
+
+ Organizations may define the best structure suited for their DIT.
+ Typically an organizations DIT will look very much like the
+ organizations structure itself. A DIT structure is determined by
+ naming rules and as such, becomes the elements unique Relative
+ Distinguished Name (RDN). The DIT structure may also be dependent on
+ whether the DSA information is administered by a flat file or a
+ database. Extra consideration to designing of the DIT structure
+ should be taken when using flat files versus a database, as it takes
+ longer to search through a flat file if the tree structure becomes
+ too complex or intricate. To obtain information on recommended schema
+ for DIT structuring see RFC1274 [3].
+
+2.4 Benefits and Uses for X.500 Directory Service
+
+ The nature of the X.500 Directory makes it suitable for independently
+ operated segments that can be expanded to global distribution. The
+ benefits for local directory use are:
+
+ - with the distributed nature of the service, an organization may
+ separate the responsibility for management of many DSAs and still
+ retain the overall structure;
+
+ - the robustness of this service allows it to provide information to a
+ wide range of applications. Whereas globally integrated projects must
+ conform to a specific DIT, independent X.500 operations may define
+ unique DITs, object classes and attributes as per their specific
+ needs;
+
+ - X.500 is a good alternative for paper directories, offering the
+ ability to update and modify in an interactive mode. This allows a
+ company to provide the most current information with less cost and
+ effort;
+
+ - because of the electronic base of X.500, other electronic
+ applications may interact with the application without human
+ intervention.
+
+ The benefits for global directory use are:
+
+ - the distributed nature of X.500 is well suited for large global
+ applications such as the White Pages Directory. Maintenance can be
+ performed in a distributed manner;
+
+ - X.500 offers good searching capabilities from any level in the DIT.
+ Also with "User Friendly Naming" in place, searches are very
+ intuitive;
+
+
+
+
+
+Jennings Informational [Page 6]
+
+RFC 1943 Building an X.500 Directory Service in the US May 1996
+
+
+ - there are DUA interfaces for the White Pages service available for
+ all types of workstations. For an overview of X.500 software reference
+ RFC1632.
+
+ - X.500 is an international standard. Using such a standard ensures
+ interoperability within the worldwide base.
+
+2.5 Other Applications of X.500
+
+ In addition to the White Pages, X.500 can be used as a source for any
+ type of information that needs a distributed storage base.
+
+ The University of Michigan is using X.500 for electronic mail
+ routing. Any mail coming to the university domain, umich.edu; gets
+ expanded out to a local address that is stored in the rfc822Mailbox
+ attribute. The University also operates a standard X.500 name server
+ which provides name lookup service of over 200,000 names. They use
+ the Lightweight Directory Access Protocol (LDAP) [11].
+
+ An implementation of the X.500 Standard directory service has been
+ incorporated into the Open Software Foundation (OSF) Distributed
+ Computing Environment (DCE). This component, known as the Global
+ Directory Service (GDS), provides an area where distributed
+ application clients can find their application servers. The GDS, in
+ response to requests made by other clients, provides the unique
+ network address for a particular DCE resource. Because it is based
+ on a international standard, GDS can offer access to resources among
+ users and organizations worldwide. This scalable service can be
+ performed in DCE environments that range in size from the very small
+ to the very large.
+
+ Lookup services can be implemented into a variety of applications.
+ Cambridge University in Great Britain implemented the X.500 directory
+ service into an employee locator application. Based on badge sensors
+ at strategic locations, this application can determine the
+ whereabouts of an employee on the campus. As the individual moves
+ about, the sensors register their location in an X.500 Directory.
+
+ Digital Signature Service (DSS) and Privacy Enhanced Mail (PEM) work
+ on the principal of a directory key server which generates and
+ provide users with "public" codes that match previously registered
+ "private" codes. Only the recipient can decipher messages sent in
+ this fashion. The X.509 [4] standard for key certificates easily fits
+ within the structure of the X.500 Directory Service.
+
+
+
+
+
+
+
+Jennings Informational [Page 7]
+
+RFC 1943 Building an X.500 Directory Service in the US May 1996
+
+
+3.0 Legal Issues
+
+3.1 Introduction
+
+ Currently in the United States, there are no specific legal rules for
+ the information that is provided via an electronic directory service.
+ Various organizations and groups associated with usage of the
+ Internet, noting a need to address privacy and data integrity issues,
+ have prepared directives to address this issue. Two such areas
+ addressed are those of the rights of registrants included in the
+ directory and the responsibility of administrators to guarantee the
+ integrity of such data.
+
+ Registries containing information that is related to an individual is
+ freely transferred and unregulated in the US, unless the provider of
+ the data is an agency or an holder of sensitive information as
+ defined by federal legislation and further may differ for each state.
+ An agency is defined as: any executive department, military
+ department, Government corporation, Government controlled
+ corporation, or other establishment in the executive branch of the
+ Government (including the Executive Office of the President), or any
+ independent regulatory agency. Sensitive data can be financial
+ records, medical records, and certain legal documents. As previously
+ noted, each state has their own legislation on sensitive or private
+ data.The registered persons have little recourse to control list
+ information short of filing a lawsuit against the information
+ provider.
+
+ For individuals who transfer data across country boundaries, it is
+ important to understand that other countries may have legislation to
+ regulate data. Prior to requesting list information from these
+ countries, an administrator should review applicable legislation and
+ have some mechanism in place to ensure how data will be handled once
+ it is crosses the border. Policy Statements for some countries have
+ been prepared and are provided for via Code of Conduct papers.
+
+3.2 Purpose of the Directory
+
+ The operational intent including presentation data and list
+ registrants and access rights must be clearly defined and stated.
+ Initially this provides the skeleton of the DIT. Eventually a
+ statement such as this may provide a basis legally justifying the
+ directory.
+
+ All data presented must be defined in the purpose. If for example, a
+ directory is for the sole purpose of providing professional
+ addressing information - an entry would include name, postal address,
+ office telephone, facsimile number, electronic mail address and
+
+
+
+Jennings Informational [Page 8]
+
+RFC 1943 Building an X.500 Directory Service in the US May 1996
+
+
+ company name. Private address information listing the home address
+ or phone would be prohibited as would any other information not
+ directly related to addressing.
+
+3.3 User Rights
+
+ The North American Directory Forum (NADF) has published a document
+ that defines the User Bill of Rights [5]. This document defines an
+ individuals rights regarding the public release of personal or
+ private information. Among other issues stated, the user has the
+ right to be notified regarding the inclusion of their information in
+ a data registry as well as the right to examine and have incorrect
+ information changed.
+
+ This paper is specifically written for the North American Directory
+ Forum and recommends compliance with US or Canadian laws regulating
+ privacy and access information.
+
+ Although current US legislation does not include all the suggestions
+ in this document, it is the responsibility of the controller of the
+ data to respect the rights of the individuals. These recommended
+ rules can be seen as respect for the individual and the considerate
+ controller will follow these guidelines within any boundaries that
+ they may be mandated by.
+
+3.4 Data Integrity
+
+ An information provider has the responsibility to guarantee the data
+ that they make available to users. The integrity of a data source is
+ heavily weighted by the accuracy and timeliness of the contents.
+ Interoperable data sources must have concurrence of these factors as
+ well. The degree to which an information provider can guarantee the
+ validity of the data that they present, reflects on the validity of
+ the provider in general. RFC 1355 [6], suggests that a data source
+ enable accuracy statements describing the process that the individual
+ NIC will use to maintain accuracy in the database.
+
+ In the European community, it is a legal requirement that the
+ information provider guarantee accurate data.
+
+ The controller of the information needs to be certain of the primary
+ source of data. When possible, the controller should develop routines
+ of random checks to validate the registry data for correctness.
+
+
+
+
+
+
+
+
+Jennings Informational [Page 9]
+
+RFC 1943 Building an X.500 Directory Service in the US May 1996
+
+
+3.5 Data Security
+
+ A Directory Service with non-authenticated access from the Internet
+ is difficult to protect from unauthorized use. Unauthorized use being
+ defined by each organization within the directory purpose statement.
+ Typical misuse being by individuals who attempt to duplicate the
+ directory for unauthorized purposes. Other security measures include:
+ Access Control Lists (ACLs), limitations on number of entries
+ returned to a query, and time to search flags. The result of such
+ controls will affect the legitimate user as well as the user they are
+ intended to block.
+
+ An alternative that may provide protection from misuse is to create
+ and display an attribute with each entry stating non-approved usage.
+ This feature will also provide evidence of restricted use in the
+ event that a legal case is necessary to stop unauthorized access.
+
+ The responsibility again falls on the data provider/implementor of
+ the directory service. Astute programmers will create or make use of
+ existing tools to protect against data destruction, falsification,
+ and misuse.
+
+3.6 Conclusions
+
+ User Rights, Data Integrity and Protection of data should not be
+ considered merely in an effort to abide by legal rulings; they should
+ be the intention of a good data source. A successful Directory
+ Service must be aware of the requirements of those individuals
+ inclusive in the list as well as those of the directory users.
+
+ In general, at the minimum the following conditions should be
+ observed:
+
+ 1. Define the purpose of the Directory.
+ 2. Initially inform all registrants of their inclusion in
+ a Directory.
+ 3. Prevent the use of data beyond the stated purpose.
+ 4. Limit the attributes associated to an entry within
+ boundaries of the purpose.
+ 5. Work towards a suitable level of security.
+ 6. Develop a mechanism to correct/remove faulty data
+ or information that should not be in the Directory.
+
+
+
+
+
+
+
+
+
+Jennings Informational [Page 10]
+
+RFC 1943 Building an X.500 Directory Service in the US May 1996
+
+
+4.0 Infrastructure
+
+4.1 Introduction
+
+ The White Pages Project, currently operated by Performance Systems
+ International (PSI) provides a reliable QUIPU infrastructure for
+ sites wishing to provide their own X.500 directory. Started in 1989
+ as the NYSERNet White Pages Pilot Project it was the first
+ production-quality field test of the Open Systems Interconnection
+ (OSI) technology running on top of TCP/IP suite of protocols [7].
+ This pilot X.500 Directory, provided a real-time testbed for a
+ variety of administrative and usage issues that arise. Today, more
+ than 30 countries participate in the globally distributed project
+ with over 1 million entries. The White Pages pilot is one of 37 other
+ pilots cooperating to provide information in the Nameflow-PARADISE
+ directory; an European project.
+
+ Initially the software was public domain, QUIPU X.500 [8]. This
+ "shareware" application in conjunction with administrative services
+ provided free of charge by PSI, allowed for a truly distributed X.500
+ Directory Service to operate.
+
+ In keeping with the Internet rules of operation, the lack of the US
+ regulations, the suggestions of North American Directory Forum and
+ the Internet Engineering Task Force (IETF), the complications that
+ arise from multi-distributed data as a service can be overwhelming.
+ PSI took on the challenge to provide such a service, and continues to
+ ensure operations today.
+
+4.2 A Well Maintained Infrastructure
+
+ This distributed information service involves the cohesive effort of
+ all of the participating organizations. The ISO Development
+ Environment (ISODE) implementation of the OSI Directory, provided the
+ attributes and uniformity to facilitate this effort.
+
+ The primary DSA for the PSI Project is named Alpaca. Operating on a
+ Sun Sparc 10 with 120 megabytes of memory, this host serves as the
+ Master for the DSAs of 117 organizations under c=US. Redundancy for
+ Alpaca is provided by two sources, Fruit Bat operated by PSI and Pied
+ Tamarin operated by the InterNIC. Slave updates to this host are
+ provided on a nightly basis from the individual DSAs.
+
+ The data presentation is hierarchical in nature and emulates the
+ common white pages telephone book. The information provided contains
+ at minimum: a common name, voice phone listing, and electronic mail
+ addressing. Each entry has a uniqueness associates with it; the
+ relative distinguished name which is comprised of the entire
+
+
+
+Jennings Informational [Page 11]
+
+RFC 1943 Building an X.500 Directory Service in the US May 1996
+
+
+ directory information tree. The DITs may vary slightly, but each must
+ contain an organization, and a person. The nature of the directory
+ and the structure of the actual organization for whom the directory
+ is being provided contribute to the overall DIT structure. The
+ following is a list of commonly used attributes:
+
+commonName physicalDeliveryOfficeName stateOrProvinceName
+description photo streetAddress
+userid postOfficeBox surname
+favouriteDrink postalAddress telephoneNumber
+title rfc822Mailbox facsimileTelephoneNumber
+
+4.3 DUA Interfaces for End Users
+
+ There are a variety of user interfaces on the market today that will
+ provide Directory User Agent access to the X.500 Directory. Standard
+ protocols such as fred, whois, whois++, finger, are used widely.
+ Interfaces are also available via World-wide Web browsers and
+ electronic mail.
+
+ Vendors providing DUAs include ISODE Consortium, NeXor, and Control
+ Data Corporation. These applications operate in conjunction with the
+ vendor provided DSAs.
+
+ Historically DUA interfaces were difficult to implement and required
+ the entire OSI stack. Implementing such a product on a PC or Apple
+ platform required skillful programming. The executable for these
+ platforms were usually very large. The IETF has since defined and
+ standardized the Lightweight Directory Access Protocol (LDAP) [11]; a
+ protocol for accessing on-line Directory services which offers
+ comparable functionality to the Directory Access Protocol (DAP). It
+ runs directly over TCP and is used by nearly all X.500 clients. LDAP
+ does not have the overhead of the various OSI layers and runs on top
+ of TCP/IP.
+
+ The functionality varies by specific DUA. Each offers access to the
+ X.500 Directory. Most offer the ability to make modifications to
+ entries. There are a few that offer Kerberos authentication.
+
+ Further information on LDAP clients for specific platforms can be
+ found on the University of Michigan WWW server:
+ http://www.umich.edu/~rsug/ldap.
+
+ Another interface that has been tested and recommended for users by
+ our Dutch (Surfnet) colleagues is Directory Enquiry (DE). Originally
+ developed by University College London for the Paradise project in
+ Europe, the engineers at Surfnet have selected DE as the best
+ interface for "dumb" terminals. They have also translated the
+
+
+
+Jennings Informational [Page 12]
+
+RFC 1943 Building an X.500 Directory Service in the US May 1996
+
+
+ interface into Dutch for their local users [12].
+
+ Ideally, users should be able to access X.500 directly from their
+ electronic mail applications. Vendors (other than the ones mentioned
+ above) have been slow to incorporate the X.500 Standards into their
+ electronic mail applications.
+
+5.0 Datamanagement & Pilot Projects
+
+5.1 Simple Internet White Pages Service
+
+ A wide variety of directory services retrieval protocols has emerged
+ in the time since the original Internet White Pages was begun in
+ 1989. To ensure that decentralized implementations will have
+ interoperability with other providers, the IETF Integrated Directory
+ Services Working Group, is working to create a draft focusing on the
+ common information and operational modeling issues to which all
+ Internet White Pages Services (IWPS) must conform to.
+
+ Utilizing current information servers, the conceptual model described
+ includes issues regarding naming, schema, query and response issues
+ for a narrowly defined subset of directory services. The goal of this
+ paper is to establish a simple set of information objects, coupled
+ with a basic set of process requirements that will form a basis which
+ can lead to ubiquitous IWPS. With this goal in mind, it will be
+ easier to proved a consistent User view of the various directory
+ services.
+
+5.2 InterNIC
+
+ The InterNIC [9] is a collaborative project of two organizations
+ working together to offer the Internet community a full scope of
+ network information services. Established in January 1993 by the
+ National Science Foundation, the InterNIC provides registration
+ services and directory and database services to the Internet.
+ (Internet a global network of more than 13,000 computers networks,
+ connecting over 1.7 million computers and used by an estimated 13
+ million people.) In keeping up with the exponential growth of the
+ Internet, the InterNIC provides a guide to navigate the maze of
+ available resources.
+
+ InterNIC provides two types of services; InterNIC directory and
+ database services and registration services. AT&T provides the
+ directory and database services, acting as the pointer to numerous
+ resources on the network offering X.500 to help users easily locate
+ other users and organizations on the Internet.
+
+
+
+
+
+Jennings Informational [Page 13]
+
+RFC 1943 Building an X.500 Directory Service in the US May 1996
+
+
+5.3 ESnet
+
+ The Energy Sciences Network [10], is a nationwide computer data
+ communications network whose primary purpose is support multiple
+ program, open scientific research. As part of this support, ESnet
+ offers networking services including information access and
+ retrieval, directory services, group communications series, remote
+ file access services and infrastructure services. As a early member
+ of the White-Pages Pilot Project, ESnet continues to be a part of the
+ worldwide distributed directory service based on the ISO/OSI X.500
+ standard. There are over nineteen ESnet organization represented in
+ the directory, comprising over 120,000 entries. ESnet provides access
+ to seven other sites via the X.500 DSAs.
+
+6.0 Recommendations
+
+6.1 General
+
+ The X.500 Directory technology is available through several options.
+ Vendors can provide consultation for schema design as well as supply,
+ install, and support the software to perform the operations required.
+ For smaller organizations or companies who do not want to administer
+ their own DSA, there are providers available who will maintain the
+ DSAs remotely and provide this service to the Internet. Those with
+ network and management expertise, can either operate independently or
+ join one of several white pages directory projects. Careful
+ consideration must be given to the initial investment required and
+ the required maintenance process.
+
+6.2 Getting Started
+
+ Successful initialization of a directory service requires a
+ systematic approach. The complexity of offering this type of service
+ becomes more apparent as implementation progresses. Several aspects
+ must be considered as this service becomes a cooperative effort among
+ the technical, administrative, organizational, and legal disciplines.
+ Procedures must be defined and agreed to at the initial phase of
+ implementing an X.500 Directory service [13]. The following are
+ issues that should be addressed in these procedures.
+
+6.3 Who are the Customers?
+
+ Defining the customer and the customer requirements will determine
+ the scope of service to offer. What is the primary purpose for the
+ directory service? A company may find it desirable to do away with a
+ paper directory while simultaneously providing the current directory
+ information. The directory may be for internal use only or expanded
+ to any users with Internet access. Will the customer use the
+
+
+
+Jennings Informational [Page 14]
+
+RFC 1943 Building an X.500 Directory Service in the US May 1996
+
+
+ directory for e-mail address only or is other locational information
+ such as postal address and telephone number a requirement?
+
+ The directory may provide information to electronic customers such as
+ distributed computing applications as well. In this case, the data
+ must be provided in machine readable format.
+
+ Will the customers extend across country boundaries? Information may
+ be considered private by one country and not by another. It is
+ necessary to be aware of the legalities and restrictions for the
+ locality using the data. Some counties have published a Code of
+ Conduct with the IETF, explicitly stating the legal restrictions on
+ directory and list data. Check the archives to determine if the
+ country with whom information will be shared has presented such
+ information.
+
+6.4 What are the contents of the Directory?
+
+ The information presented in the directory is tightly coupled with
+ the purpose. If the purpose is to provide addressing information for
+ individuals, then customary information would include: Name, address,
+ phone, e-mail address, facsimile number, pager, etc. If the use of
+ the directory is to facilitate electronic mail routing then the
+ destination mail address needs to be included for each user. No other
+ information should be presented in the directory if it is not
+ directly related to the purpose.
+
+ If the directory is internal only, it may be desirable to include the
+ registrants title as well. Remember that information available on the
+ Internet is generally open to anyone who wants to access it.
+ Individuals wishing to target a specific market may access
+ directories to create customer mailing lists.
+
+ The structure or schema of the X.500 Directory must be an initial
+ consideration. Will the hierarchy follow the company structure or is
+ a different approach more practical? How many entries will there be
+ in the directory five or 50,000? A complex hierarchyfor thousands of
+ users may affect the efficiency of queries.
+
+6.5 What are the rights of the individuals?
+
+ The subjects included in the directory shall have well defined
+ rights. These may be mandated by company policy, legal restrictions,
+ and the ultimate use of the directory. For a basic Internet White
+ Pages Service these rights may include:
+
+
+
+
+
+
+Jennings Informational [Page 15]
+
+RFC 1943 Building an X.500 Directory Service in the US May 1996
+
+
+ 1. the option of inclusion in the directory
+ 2. the right of access to the information
+ 3. the right to have inaccurate entries corrected
+
+ The terms and conditions for employees of an organization may affect
+ these rights. On becoming an employee of any organization, an
+ individual inevitably agrees to forego certain personal privacies and
+ to accept restrictions.
+
+ Every organization should develop and publish the "rights" that can
+ be expected by the list registrants.
+
+6.6 Data Integrity
+
+ Information that needs to be included in the directory may come from
+ various sources. Demographic information may originate from the human
+ resources department. Electronic mail addresses may be provided by
+ the computer network department. To guarantee data integrity, it is
+ advised that the data be identified and maintained as corporate
+ information.
+
+ The required timeliness of the data is unique for each DSA. Updates
+ to the data may be a frequent as once a day or once a month. Updates
+ to the data must be provided on a regular basis. In cases where data
+ is time sensitive, an attribute should be included to display the
+ most recent maintenance date.
+
+ A regular check for data accuracy should be included in the directory
+ administration. Faulty information may put an organization in breach
+ of any data protection laws and possibly render the company as
+ unreliable.
+
+6.7 Data Security
+
+ Securing networked information resources is inherently complex.
+ Attempts must be made to preserve the security of the data. These may
+ include access control lists (ACLs), limiting the number or responses
+ allowed to queries, or internal/external access to the directory.
+
+ The 1993 recommendations have added a complex access control model
+ that is designed to tightly restrict the access that users may have
+ to the information in the Directory. Local protection is configured
+ by the implementor. A secure X.500 Directory should provide tools to
+ protect against destruction, falsification, and loss of data.
+
+ There is not a tool yet that will protect against the misuse of data.
+ There are flags and limits that can be set from within the
+ application that will serve somewhat as a barrier to such unwanted
+
+
+
+Jennings Informational [Page 16]
+
+RFC 1943 Building an X.500 Directory Service in the US May 1996
+
+
+ use. Any restrictions however, also will affect the legitimate users.
+ One suggestion is to post a notice of illegitimate use within each
+ entry. This of course will only serve as a deterrent and as an asset
+ should legal action be required.
+
+ Again, caution must be taken when transferring data between country
+ and state borders. In the US data regulations differ from state to
+ state.
+
+6.8 Data Administration
+
+ The decentralized nature of the X.500 Directory service means that
+ each organization has complete control over the data. As part of a
+ global service however, it is important that the operation of the DSA
+ be monitored and maintained in a consistent manner. Authorization
+ must be given to the local manager of the information and in some
+ cases, the subjects included in the directory may also have
+ modification privileges.
+
+ Once the service is running, the importance of guaranteed operation
+ can not be overstated. Maintenance of the local Directory will be an
+ integral part of normal administrative procedures within the
+ organization and must be defined and agreed upon in the initial
+ stages of development.
+
+6.9 Conclusion
+
+ Establishing a Directory service within an organization will involve
+ a great deal of cooperative effort. It is essential to get commitment
+ from the integral parties of an organization at the onset. This
+ includes the technical, legal, and data managements components of the
+ organization. Executive level commitment will make it much easier to
+ get the cooperation necessary.
+
+ Operational procedures must be clearly defined, as the inclusion in a
+ globally distributed service has wide visibility. Adherence to these
+ procedures must be maintained to the highest degree possible as
+ misinformation may result in unintentional legal violations and
+ unreliable access or data can adversely affect on a companys
+ reputation.
+
+ An X.500 Directory can be extremely useful for an organization if it
+ operates as designed. It may serve as the "hub" of the information
+ routing and the basis for several everyday activities. A successful
+ service will be one of the most important tools for communication in
+ the computer network environment. For people to make use of the
+ service, they must be able to rely on consistent and accurate
+ information.
+
+
+
+Jennings Informational [Page 17]
+
+RFC 1943 Building an X.500 Directory Service in the US May 1996
+
+
+References
+
+ 1. CCITT Blue Book, Volume VIII - Fascicle VIII.8, November 1988.
+
+ 2. RFC 1632; A Revised Catalog of Available X.500
+ Implementations. A. Getchell; ESnet, S.
+ Sataluri; AT&T.
+
+ 3. RFC 1274; The COSINE and Internet X.500 Schema. P. Barker &
+ S. Kille.
+
+ 4. CCITT Blue Book, Volume VIII - Fascicle VIII - Rec. X.509,
+ November 1988.
+
+ 5. RFC 1295; User Bill of Rights for entries and listing in the
+ Public Directory. Networking Working Group; IETF, January
+ 1992.
+
+ 6. STD 35, RFC 1355; Privacy and Accuracy Issues in Network
+ Information Center Databases. Curran, Marine, August 1992.
+
+ 7. RFC 1006, ISO Transport Class 2 Non-use of Explicit Flow
+ Control over TCP RFC 1006 extension. Y. Pouffary, June 1995.
+
+ 8. Colin Robbins, NEXOR Ltd., Nottingham, London.
+ c.robbins@nexor.co.uk
+
+ 9. InterNIC; Collaborative effort of AT&T and
+ Network Solutions; info@internic.net
+
+ 10. ESnet; Managed and funded by the US Department of Energys
+ Energy Research Office in Scientific Computing (DOE/ER/OSC).
+
+ 11. RFC 1777; Lightweight Directory Access Protocol, W. Yeong,
+ T. Howes, S. Kille, March 1995.
+
+ 12. Building a Directory Service, Final Report test phase SURFnet
+ X.500 pilot project, June 1995.
+
+ 13. The X.500 Directory Services: a discussion of the concerns
+ raised by the existence of a global Directory, Julia M. Hill,
+ Vol.2/No.1 Electronic Networking, Spring 1992.
+
+ 14. Directory Services and Privacy Issues, E. Jeunik and E.
+ Huizer.
+
+
+
+
+
+
+Jennings Informational [Page 18]
+
+RFC 1943 Building an X.500 Directory Service in the US May 1996
+
+
+ 15. The Little Black Book; Mail Bonding with OSI Directory
+ Services, Marshall T. Rose, Simon & Schuster Company,
+ 1992.
+
+ 16. NYSERNet White Pages Pilot Project: Status Report; NYSERNet
+ Technical Report #89-12-31-1, Marshall T. Rose, December 1989.
+
+ 17. RFC 1798, Connection-less Lightweight Directory Access
+ Protocol, A. Young, June 1995.
+
+ 18. RFC 1781; Using the OSI Directory to Achieve User Friendly
+ Naming, S. Kille, March 1995.
+
+ 19. draft-ietf-pds-iwps-design-spec-01.txt, Tony Genovese;
+ Microsoft, Work in Progress, July 1995.
+
+ 20. draft-ietf-ids-privacy-00.txt, B. Jennings; Sandia National
+ Laboratories, S. Sataluri; AT&T, Work in Progress, November
+ 1994.
+
+Glossary
+
+ ACL Access Control List; a mechanism to restrict access to data
+ stored in an X.500 Directory Service
+
+ Attribute A collection of attributes belong to an entry in the
+ Directory Service, and contain information belonging
+ to that entry.
+
+ c= countryName; Object class definition, specifies a country.
+ When used as part of the directory name, it identifies the
+ country in which the named object is physically located.
+
+ cn= commonName; Attribute defining common name for individuals
+ included in a directory. In 1988 standards can be up to 64
+ characters.
+
+ CCITT The International Telegraph and Telephone Consultative
+ Committee.
+
+ DAP Directory Access Protocol; the protocol between a DUA and a
+ DSA.
+
+ DIB Directory Information Base; a collection of information
+ objects in the Directory.
+
+ DIT Directory Information Tree; the hierarchy of the distributed
+ database that makes up an X.500 service.
+
+
+
+Jennings Informational [Page 19]
+
+RFC 1943 Building an X.500 Directory Service in the US May 1996
+
+
+ DSA Directory System Agent; an application that offers the
+ Directory service, this is the database for the Directory.
+
+ DUA Directory User Agent; an application that facilitates User
+ access to a DSA.
+
+ E-Mail Electronic Mail. Entry A Directory Service contains entries
+ on people, organizations, countries, etc. Entries belong to a
+ certain class, and information on entries is stored in
+ attributes.
+
+ ESnet Energy Sciences Network; nationwide computer data
+ communications network.
+
+ GUI Graphical User Interface.
+
+ IETF Internet Engineering Task Force; an internationally
+ represented task force charged with solving the short-term
+ needs of the Internet
+
+ Internet A collection of connected networks, international,
+ running the Internet suite of protocols.
+
+ InterNIC Directory of Directories, a collaborative project
+ between AT&T, and Network Solutions, Inc.
+
+ IP Internet Protocol; the network protocol offering a
+ conectionless-mode network service in the Internet suite of
+ protocols.
+
+ ISODE ISO Development Environment, a research tool developed to
+ study the upper-layers of OSI and deploy network applications
+ according to the ISO OSI standards and ITU X series of
+ recommendations.
+
+ ITU International Telecommunication Union; formerly the CCITT.
+
+ LDAP Lightweight Directory Access Protocol, an Internet Standard
+ for a lightweight version of DAP running over TCP/IP.
+
+ Object Entries in a Directory Service belong to an Object Class to
+ Class indicate the type and characteristic; e.g. Object Class
+ "person".
+
+ OSI Open Standards Interconnection, An international
+ standardization program, facilitated by ISO and ITU to develop
+ standards for data networking.
+
+
+
+
+Jennings Informational [Page 20]
+
+RFC 1943 Building an X.500 Directory Service in the US May 1996
+
+
+ o= organization; An attribute defining the company or
+ organization that the person works for.
+
+ ou= organizational unit; An attribute found under organization.
+ Denotes the department, division, or other such sub-unit of
+ the organization that the person works in.
+
+ PEM Privacy Enhanced Mail; and Internet Standard for sending
+ secure Electronic mail.
+
+ PSI Performance Systems International, Inc.; operator of the
+ Internet White Pages Project
+
+ QUIPU X.500 Directory implementation developed by Colin Robbins
+ while at the University College of London.
+
+ RDN Relative Distinguished Name; a unique identifier for each list
+ subject, defined by the hierarchy of the DSA.
+
+ RFC Request For Comments; Internet series publications
+
+ sn= surname; Attribute defining the surname of the person in the
+ directory.
+
+ TCP/IP Transmission Control Protocol and Internet Protocol; two
+ internet protocols.
+
+ White-Pages Electronic directory, accessible via Internet suite of
+ protocols.
+
+ Whois An Internet standard protocol.
+
+ Whois++ An Internet Directory Services protocol; a possible
+ alternative for X.500 WPS
+
+ White Pages Service a Directory Service that contains information on
+ people and organizations.
+
+ X.500 A series of recommendations as defined by the ITU, that
+ specify a Directory Services protocol.
+
+
+
+
+
+
+
+
+
+
+
+Jennings Informational [Page 21]
+
+RFC 1943 Building an X.500 Directory Service in the US May 1996
+
+
+9.0 Security Considerations
+
+ Security issues are not discussed in this memo.
+
+Author's Address
+
+ Barbara Jennings
+ Sandia National Laboratories
+ Scientific Computing Systems
+ P.O. Box 5800
+ M/S 0807
+ Albuquerque, NM 87106
+ USA
+
+ Phone: 505-845-8554
+ Fax: 505-844-2067
+ EMail: jennings@sandia.gov
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Jennings Informational [Page 22]
+