📄 rfc2120.txt
字号:
D W Chadwick
IT Institute
University of Salford
Salford
M5 4WT
England
Phone: +44 161 745 5351
Fax: +44 161 745 8169
E-mail: D.W.Chadwick@iti.salford.ac.uk
Chadwick Experimental [Page 10]
RFC 2120 Managing the X.500 Root Naming Context March 1997
Annex 1 Solution Text of Defect Reports submitted to ISO/ITU-T by
the UK
Defect Report 140
Nature of Defect
In section 24.1.4.2 it is defined that the SubordinateToSuperior
parameter of a HOB can pass an entryInfo parameter. This should
contain entryACI which may be used in the resolution of the List
operation.
This is not correct as the prescriptive ACI from the relevant
subentries is also required in the superior DSA.
Solution Proposed by Source
It is proposed that the following is added to the
SubordinateToSuperior SEQUENCE of section 24.1.4.2 of X.518:
subentries [2] SET OF SubentryInfo OPTIONAL
This is used to pass the relevant subentries from the subordinate to
the superior. This is similar to the way subentry information is
passed in the SuperiorToSubordinate parameter defined in 24.1.4.1.
Defect Report 142
Nature of Defect
The text which describes AreaSpecification in clause 9.2 of X.525 is
completely general. However, for the special case of replicating
first level knowledge references between first level DSAs, a
clarifying sentence should be added.
Solution Proposed by Source
In Section 9.2, under the ASN.1, after the description of area, and
before the description of SubtreeSpecification, add the sentence:
"For the case where a DSA is shadowing first level knowledge from
a first level DSA, the contextPrefix component is empty."
Chadwick Experimental [Page 11]
RFC 2120 Managing the X.500 Root Naming Context March 1997
Annex 2 Defect Report on 1993 X.500 Standard for Adding full ACIs to
DISP for Subordinate References, so that Secure List Operation can
be performed in Shadow DSAs
Nature of Defect:
The List operation may be carried out in a superior DSA using
subordinate reference information, providing that the fromEntry flag
is set to false in the response. However, in order to do this
securely, complete access control information is needed for the RDN
of the subordinate entry. The existing text assumes that this is held
in entry ACI (e.g. see 9.2.4.1 c) or in prescriptive ACI held in
subentries above the DSE (e.g. see 9.2.4.1 b). In the case of a
subordinate reference, the prescriptive ACI may be held below the
DSE, if the subordinate reference points to a new administrative
point. The shadowing document needs to make it clear that this can be
the case, and needs to allow for this additional access control
information to be shadowed.
A related defect report (140) has already suggested that this same
omission should be added to operational bindings.
Solution Proposed by the Source:
All the following changes are to X.525|ISO 9594-9.
I) Insert the following text into 7.2.2.3, at the end of both the
second paragraph and the first sentence of the third paragraph (after
"appropriate knowledge"): "and access control information."
II) Insert a new third paragraph into 7.2.2.3: "If subordinate
knowledge is supplied, and the supplying DSE (of type subr) is also
of type admPoint, then the SDSE shall additionally be of type
admPoint and the administrativeRole attribute shall be supplied. If
such a DSE has any immediately subordinate subentries containing
PrescriptiveACI relating to the administrative point, then they shall
also be supplied as SDSEs in the shadowed information.
Note. A DSE can be of type subr and admPoint in a superior DSA, when
the naming context in the subordinate DSA is the start of a new
administrative area."
III) Update figure 3 to show a subentry immediately below a
subordinate reference. The subentry contains prescriptiveACI and is
part of the shadowed information.
Chadwick Experimental [Page 12]
RFC 2120 Managing the X.500 Root Naming Context March 1997
.
Etc. / \
/ \
/ o \
/ / \ \
Replicated / / \ \
Area --------------/--/-> \ \
/ / \ \
/ / \ \
/ / \ \
Subordinate /__/_____________\__\
knowledge--------/-> o o o \
/ / \ \
Prescriptive---/-> o o \
ACI Subentries/ \
Unit of Replication
Etc.
o
/ \
/ \
/ \
/ \
/ \
/ \
/_____________\
o o o
/ \
o o
Shadowed Information
ADDITIONS TO FIGURE 3, SECTION 7.2, X.525
IV) Add supporting text to section 7.2 in the paragraph after Figure
3. Insert after the sentence "Subordinate knowledge may also be
replicated" the following sentences "Implicit in the Add supporting
text to section 7.2 in the paragraph after Figure 3. Insert after
the sentence subordinate knowledge is the access control information
which governs access to the RDN of the subordinate knowledge. When
the subordinate entry is an administrative point in another DSA, then
part of this access control information may be held in
prescriptiveACI subentries beneath the subordinate knowledge."
v) Add a new point d) to 9.2.4.1: "if subordinate knowledge (not
extended knowledge) is shadowed then any prescriptiveACI in
subordinate subentries shall also be copied."
Chadwick Experimental [Page 13]
RFC 2120 Managing the X.500 Root Naming Context March 1997
Annex 3 Defect Report on 1997 X.500 Standard Proposing an Enhancement to
the Shadowing Agreement in order to support 1 Level Searches in Shadow
DSAs.
Nature of Defect:
The 1997 edition of the X.500 Standard has allowed, for reasons of
operational efficiency, one level Searches to be carried out in the
superior DSA, when the actual entries are context prefixes in
subordinate DSAs. The HOBs have been extended to allow this entry
information to be carried up to the superior DSA. Unfortunately, we
forgot to add the corresponding text to Part 9, so that shadow DSAs
are able to copy this additional information from the supplier DSA.
This defect report proposes the additional text for Part 9.
Solution Proposed by the Source:
All the following changes are to X.525|ISO 9594-9.
I) Section 9.2, add a new subordinates parameter to
UnitOfReplication, viz:
UnitOfReplication ::= SEQUENCE{
area AreaSpecification,
attributes AttributeSelection,
knowledge Knowledge OPTIONAL,
subordinates BOOLEAN DEFAULT FALSE }
subordinates is used to indicate that subordinate entries, rather
than simply subordinate references, are to be copied to the
consumer DSA. subordinates may only be TRUE if knowledge is
requested and extendedKnowledge is FALSE.
II) Insert a new fourth paragraph (assuming previous defect for
List was accepted) into 7.2.2.3:
"If subordinates is specified, then the supplier shall send
subordinate entries rather than subordinate references, and the
SDSEs will be of type subr, entry and cp. The subordinate entries
will contain attributes according to the attribute selection.
In addition, if the supplying DSE is of type admPoint, then the
SDSE shall additionally be of type admPoint and the
administrativeRole attribute shall be supplied. All appropriate
subentries below the admPoint DSE shall also be supplied as SDSEs
in the shadowed information."
Chadwick Experimental [Page 14]
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -