LDAP Service Deployment

Eric Bomarsi | 9 Jun 1998 23:39

DNS and X.501 DistinguishedName

A network entity such as a router may require
an X.501 DistinguishedName to utilize LDAP
directory serices or generate PKCS certificate
requests.

It's possible that the network entity can
use it's domain name to create an X.500
Distinguished Name as specified in RFC2247.
However, I'm concerned that this might be too
inflexible since many organizations may
implement an internal X.500 naming convention
unrelated to their Internet domain naming.

Has any MIB work been done to support
distinguished name configuration?

Thanks in advance,
Eric Bomarsi

Andreas Berger | 10 Jun 1998 11:16

Picon

Re: DNS and X.501 DistinguishedName

Eric Bomarsi wrote:
>
> A network entity such as a router may require
> an X.501 DistinguishedName to utilize LDAP
> directory serices or generate PKCS certificate
> requests.
>
> It's possible that the network entity can
> use it's domain name to create an X.500
> Distinguished Name as specified in RFC2247.
> However, I'm concerned that this might be too
> inflexible since many organizations may
> implement an internal X.500 naming convention
> unrelated to their Internet domain naming.
>
> Has any MIB work been done to support
> distinguished name configuration?
>
> Thanks in advance,
> Eric Bomarsi
As RFC2247 states, you can combine any DN with the DC Attributes, e.g.

CN=Router LA, DC=rr27, dc=foo-org, dc=com, o=Foo\, Inc., c=US

I do not know if that solves your problem.

Andreas
--
Erst kommt das Fressen, dann kommt die Moral
 -- Bertolt Brecht

(Continue reading)

Greg Carter | 10 Jun 1998 15:16

Re: DNS and X.501 DistinguishedName

Hi Eric,

For X.509 (PKCS10 requests or PKIX requests) you should look at the
subjectAltName extension.  It allows the certification authority to list a
number of alternative names which the entity is associated with.  This list
can include name types such as IP Address, DNS, and rfc822 names.  Therefore
the network device can have it's DNS and/or IP Address stored in the
certificate, while having an X.500 DN that fits the organizations directory
structure.

>From X.509
12.3.2.1        Subject alternative name field
This field contains one or more alternative names, using any of a variety of
name forms, for the entity that is bound by the CA to the certified public
key. This field is defined as follows:
subjectAltName EXTENSION ::= {
        SYNTAX  GeneralNames
        IDENTIFIED BY id-ce-subjectAltName }

GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName

GeneralName ::= CHOICE {
        otherName                       [0]     INSTANCE OF OTHER-NAME,
        rfc822Name                      [1]     IA5String,
        dNSName                 [2]     IA5String,
        x400Address             [3]     ORAddress,
        directoryName           [4]     Name,
        ediPartyName            [5]     EDIPartyName,
        uniformResourceIdentifier       [6]     IA5String,
        iPAddress                       [7]     OCTET STRING,

(Continue reading)

Eric Bomarsi | 10 Jun 1998 20:15

Re: DNS and X.501 DistinguishedName

Thanks Greg,

I see.

So I can generate an X.509 certificate request from
the system's domain name or one of it's IP addresses,
(and I should make that user selectable.)

However, the subjectAltName is specific to an X.509
certificate request and so I believe I still need
a way to enter an X.500 distinguished name into the
system for LDAP services, unless there is a similar
alternate name construct for LDAP?

/Eric Bomarsi

Greg Carter wrote:
>
> Hi Eric,
>
> For X.509 (PKCS10 requests or PKIX requests) you should look at the
> subjectAltName extension.  It allows the certification authority to list a
> number of alternative names which the entity is associated with.  This list
> can include name types such as IP Address, DNS, and rfc822 names.  Therefore
> the network device can have it's DNS and/or IP Address stored in the
> certificate, while having an X.500 DN that fits the organizations directory
> structure.
>
> >From X.509
> 12.3.2.1        Subject alternative name field

(Continue reading)

Peter Whittaker | 10 Jun 1998 20:43

Re: DNS and X.501 DistinguishedName

In your original note, you questioned the use of RFC 2247 naming scheme, as organizations might choose to
use some other naming scheme in their directory.  Greg's suggestion allows you to accomodate any
organization's naming scheme, with the data of interest to the devices/applications in question being
located elsewhere than the DN (it may be there also, but devices/applications need not depend on being
there). 

A device's certificate will contain its IP address or hostname in the subjectAltName extension, and may
contain its DN in the subject field.  If these certificates are written to and retrieved from the
directory, they will (likely) be in the entry whose DN is the subject DN in the certificate.

You're right that if you are using a directory and expecting to be able to store/retrieve certificates
in/from it, you will need to generate DNs for your routers.  The subjectAltName extension allows you do so
within the bounds of your existing naming scheme/preferences, while retaining in the certificate
information most likely to be useful for network devices.  In general, extensions such as subjectAltName
are a very useful place to put such data.

Note too that the subject and issuer fields in X.509 certificates can be empty.  The PKIX group has profiled
the use of empty issuer and subject names to allow for those cases where directories are not involved.

pww

Peter Whittaker
Entrust Technologies
http://www.entrust.com

> -----Original Message-----
> From: Eric Bomarsi [mailto:ebomarsi <at> xedia.com]
> Sent: Wednesday, June 10, 1998 2:16 PM
> To: Greg Carter
> Cc: ietf-lsd <at> listserv.umu.se; ipsec <at> tis.com; ietf-pkix <at> imc.org

(Continue reading)

Erik Skovgaard | 10 Jun 1998 22:55

Picon

Re: DNS and X.501 DistinguishedName

Peter,

You may want to turn whatever generates RTF off.

Cheers,               ....Erik.

At 14:43 98/06/10 -0400, you wrote:
>{\rtf1\ansi\ansicpg1252\fromtext \deff0{\fonttbl {\f0\fswiss Arial;}
>{\f1\fmodern Courier New;} {\f2\fnil\fcharset2 Symbol;}
>{\f3\fmodern\fcharset0 Courier New;}}
>{\colortbl\red0\green0\blue0;\red0\green0\blue255;}
>\uc1\pard\plain\deftab360 \f0\fs20\cf0 In your original note, you
>questioned the use of RFC 2247 naming scheme, as organizations might choose
>to use some other naming scheme in their directory.  Greg's suggestion
>allows you to accomodate any organization's naming scheme, with the data of
>interest to the devices/applications in question being located elsewhere
>than the DN (it may be there also, but devices/applications need not depend
>on being there). \par \par A device's certificate will contain its IP
>address or hostname in the subjectAltName extension, and may contain its DN
>in the subject field.  If these certificates are written to and retrieved
>from the directory, they will (likely) be in the entry whose DN is the
>subject DN in the certificate.\par \par You're right that if you are using
>a directory and expecting to be able to store/retrieve certificates in/from
>it, you will need to generate DNs for your routers.  The subjectAltName
>extension allows you do so within the bounds of your existing naming
>scheme/preferences, while retaining in the certificate information most
>likely to be useful for network devices.  In general, extensions such as
>subjectAltName are a very useful place to put such data.\par \par Note too
>that the subject and issuer fields in X.509 certificates can be empty.  The
>PKIX group has profiled the use of empty issuer and subject names to allow

(Continue reading)

Harald Tveit Alvestrand | 11 Jun 1998 09:13

Picon

IP addresses in certs (Re: DNS and X.501 DistinguishedName)

At 14:43 10.06.98 -0400, Peter Whittaker wrote:
>
>A device's certificate will contain its IP address or hostname in the
>subjectAltName extension, and may contain its DN in the subject field.  If
>these certificates are written to and retrieved from the directory, they
will >(likely) be in the entry whose DN is the subject DN in the certificate.
>
Small diatribe:

Please do NOT even consider for more than 60 seconds using the
IP address as an identifier for the host for more than approximately
the same amount of time.

With DHCP, many hosts have IP address lifetimes of hours.
With provider-based addressing, many networks have IP address lifetimes
of months.
With NAT, many hosts have the *same* IP address, so it's not even unique.

The only possible use I can see for an X.509 certificate with an IP address
in it is as part of something like "secure DHCP" - having a certified
assignment of an IP address to a host.

For more info about why IP addresses in applications that don't absolutely
*have* to have them is a Really Bad Thing, see the PIER WG's documents.

                    Harald A

--
Harald Tveit Alvestrand, Maxware, Norway
Harald.Alvestrand <at> maxware.no

(Continue reading)

Christopher W Apple | 13 Jun 1998 07:22

Picon

LDAP Address Book Schema

Does anyone know of an existing public specification for
an Address Book schema for LDAP directories?

Specifically, I'm looking for examples of existing practice
of using an LDAP server as a repository for Personal Address Book
information that could be accessed from mail clients.

------------------------------------------------------------------------
Chris Apple                     Business Site: AnyWho Directory Service
Internet Directory Group                       http://www.anywho.com
AT&T Labs
capple <at> master.control.att.com
+1 908 582 2409                 Tired of slow directories?  Try AnyWho.
------------------------------------------------------------------------

Filip Hanik | 13 Jun 1998 23:40

Re: LDAP Address Book Schema

This might not be the answer but I'm going to play with the Netscape Directory Service.

Maybe the answer is there.

Filip

         ||||
----oo--00--oo--------------
           ~~
Filip Hanik
Software Engineer / JAVA-CORBA
Verge Software Co.
539 Bryant Street, #304
San Francisco, CA 94109
filip <at> vergesoft.com

-----Original Message-----
From:   Christopher W Apple [SMTP:capple <at> master.control.att.com]
Sent:   Friday, June 12, 1998 10:22 PM
To:     ietf-asid <at> netscape.com; ietf-lsd <at> listserv.umu.se
Subject:        LDAP Address Book Schema

Does anyone know of an existing public specification for
an Address Book schema for LDAP directories?

Specifically, I'm looking for examples of existing practice
of using an LDAP server as a repository for Personal Address Book
information that could be accessed from mail clients.

------------------------------------------------------------------------

(Continue reading)

Gregory Toto | 14 Jun 1998 19:08

unsubscirbe ietf-lsd toto <at> goware.com

unsubscirbe ietf-lsd toto <at> goware.com

-
_____________________________________________________________________
Gregory Toto ~ GoWare Inc. ~ toto <at> goware.com ~ 650/325-6454

Group

gmane.ietf.lsd.

Advertisement

Search Archive

Page

1 | 2

Articles in period: 12

June 1998

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane

Recent entries

A Postcard for you from Sicily - Una Cartolian per te dalla Sicilia (17 Dec 2000)
TF-LSD - First meeting - Draft Agenda (7 Sep 2000)
*****SPAM***** Announcing: The Love Drug (12 Apr 2000)
LDAP Interop. testing at Connectathon (12 Oct 1999)
Oslo Minutes (8 Sep 1999)
is LDAP-server-finding ldapext or lsd? (7 Sep 1999)
*****SPAM***** Visibility Report (4 Sep 1999)
Nested SearchRequests (9 Aug 1999)
Nested SearchRequests (7 Aug 1999)
"uniqueMember" in "groupOfUniqueNames" (30 Jul 1999)
*****SPAM***** >>> Warning - Don't Get Ripped Off !!! <<< (8 Oct 2002)
A philosophical question about large directory structures (23 Jul 1999)
A philosophical question about large directory structures (23 Jul 1999)
Market (23 Jul 1999)
A philosophical question about large directory structures (22 Jul 1999)
One para summary of LSD2 BOF (16 Jul 1999)
*****SPAM***** Mortgage Processing Software (14 Jul 1999)
*****SPAM***** Get The SOFTWARE They Want BANNED In All COUNTRIES!!! (8 Oct 2002)
*****SPAM***** Site Into (5 Jul 1999)
*****SPAM***** Get The SOFTWARE They Want BANNED In All COUNTRIES!!! (8 Oct 2002)
TISDAG and related drafts (5 Jul 1999)

Archives

3	October 2002
1	December 2000
1	September 2000
1	April 2000
1	October 1999
8	September 1999
5	August 1999
19	July 1999
67	June 1999
6	May 1999
1	January 1999
1	November 1998
4	September 1998
14	August 1998
10	July 1998
11	June 1998
1	May 1998
1	June 1995

Design

Zawodny | Right Menu | Left Menu

Your Own Design

Paste the URL of your CSS below. Download CSS template