rfc1943.txt

著名的RFC文档,其中有一些文档是已经翻译成中文的的.

   wide range of applications. Whereas globally integrated projects must
   conform to a specific DIT, independent X.500 operations may define
   unique DITs, object classes and attributes as per their specific
   needs;

   - X.500 is a good alternative for paper directories, offering the
   ability to update and modify in an interactive mode. This allows a
   company to provide the most current information with less cost and
   effort;

   - because of the electronic base of X.500, other electronic
   applications may interact with the application without human
   intervention.

   The benefits for global directory use are:

   - the distributed nature of X.500 is well suited for large global
   applications such as the White Pages Directory. Maintenance can be
   performed in a distributed manner;

   - X.500 offers good searching capabilities from any level in the DIT.
   Also with "User Friendly Naming" in place, searches are very
   intuitive;





Jennings                     Informational                      [Page 6]

RFC 1943     Building an X.500 Directory Service in the US      May 1996


   - there are DUA interfaces for the White Pages service available for
   all types of workstations. For an overview of X.500 software reference
   RFC1632.

   - X.500 is an international standard. Using such a standard ensures
   interoperability within the worldwide base.

2.5     Other Applications of X.500

   In addition to the White Pages, X.500 can be used as a source for any
   type of information that needs a distributed storage base.

   The University of Michigan is using X.500 for electronic mail
   routing. Any mail coming to the university domain, umich.edu; gets
   expanded out to a local address that is stored in the rfc822Mailbox
   attribute. The University also operates a standard X.500 name server
   which provides name lookup service of over 200,000 names. They use
   the Lightweight Directory Access Protocol (LDAP) [11].

   An implementation of the X.500 Standard directory service has been
   incorporated into the Open Software Foundation (OSF) Distributed
   Computing Environment (DCE). This component, known as the Global
   Directory Service (GDS), provides an area where distributed
   application clients can find their application servers. The GDS, in
   response to requests made by other clients, provides the unique
   network address for a particular DCE resource.  Because it is based
   on a international standard, GDS can offer access to resources among
   users and organizations worldwide. This scalable service can be
   performed in DCE environments that range in size from the very small
   to the very large.

   Lookup services can be implemented into a variety of applications.
   Cambridge University in Great Britain implemented the X.500 directory
   service into an employee locator application. Based on badge sensors
   at strategic locations, this application can determine the
   whereabouts of an employee on the campus. As the individual moves
   about, the sensors register their location in an X.500 Directory.

   Digital Signature Service (DSS) and Privacy Enhanced Mail (PEM) work
   on the principal of a directory key server which generates and
   provide users with "public" codes that match previously registered
   "private" codes. Only the recipient can decipher messages sent in
   this fashion. The X.509 [4] standard for key certificates easily fits
   within the structure of the X.500 Directory Service.







Jennings                     Informational                      [Page 7]

RFC 1943     Building an X.500 Directory Service in the US      May 1996


3.0     Legal Issues

3.1     Introduction

   Currently in the United States, there are no specific legal rules for
   the information that is provided via an electronic directory service.
   Various organizations and groups associated with usage of the
   Internet, noting a need to address privacy and data integrity issues,
   have prepared directives to address this issue. Two such areas
   addressed are those of the rights of registrants included in the
   directory and the responsibility of administrators to guarantee the
   integrity of such data.

   Registries containing information that is related to an individual is
   freely transferred and unregulated in the US, unless the provider of
   the data is an agency or an holder of sensitive information as
   defined by federal legislation and further may differ for each state.
   An agency is defined as: any executive department, military
   department, Government corporation, Government controlled
   corporation, or other establishment in the executive branch of the
   Government (including the Executive Office of the President), or any
   independent regulatory agency. Sensitive data can be financial
   records, medical records, and certain legal documents. As previously
   noted, each state has their own legislation on sensitive or private
   data.The registered persons have little recourse to control list
   information short of filing a lawsuit against the information
   provider.

   For individuals who transfer data across country boundaries, it is
   important to understand that other countries may have legislation to
   regulate data. Prior to requesting list information from these
   countries, an administrator should review applicable legislation and
   have some mechanism in place to ensure how data will be handled once
   it is crosses the border. Policy Statements for some countries have
   been prepared and are provided for via Code of Conduct papers.

3.2     Purpose of the Directory

   The operational intent including presentation data and list
   registrants and access rights must be clearly defined and stated.
   Initially this provides the skeleton of the DIT. Eventually a
   statement such as this may provide a basis legally justifying the
   directory.

   All data presented must be defined in the purpose. If for example, a
   directory is for the sole purpose of providing professional
   addressing information - an entry would include name, postal address,
   office telephone, facsimile number, electronic mail address and



Jennings                     Informational                      [Page 8]

RFC 1943     Building an X.500 Directory Service in the US      May 1996


   company name.  Private address information listing the home address
   or phone would be prohibited as would any other information not
   directly related to addressing.

3.3     User Rights

   The North American Directory Forum (NADF) has published a document
   that defines the User Bill of Rights [5]. This document defines an
   individuals rights regarding the public release of personal or
   private information.  Among other issues stated, the user has the
   right to be notified regarding the inclusion of their information in
   a data registry as well as the right to examine and have incorrect
   information changed.

   This paper is specifically written for the North American Directory
   Forum and recommends compliance with US or Canadian laws regulating
   privacy and access information.

   Although current US legislation does not include all the suggestions
   in this document, it is the responsibility of the controller of the
   data to respect the rights of the individuals. These recommended
   rules can be seen as respect for the individual and the considerate
   controller will follow these guidelines within any boundaries that
   they may be mandated by.

3.4     Data Integrity

   An information provider has the responsibility to guarantee the data
   that they make available to users. The integrity of a data source is
   heavily weighted by the accuracy and timeliness of the contents.
   Interoperable data sources must have concurrence of these factors as
   well. The degree to which an information provider can guarantee the
   validity of the data that they present, reflects on the validity of
   the provider in general. RFC 1355 [6], suggests that a data source
   enable accuracy statements describing the process that the individual
   NIC will use to maintain accuracy in the database.

   In the European community, it is a legal requirement that the
   information provider guarantee accurate data.

   The controller of the information needs to be certain of the primary
   source of data. When possible, the controller should develop routines
   of random checks to validate the registry data for correctness.








Jennings                     Informational                      [Page 9]

RFC 1943     Building an X.500 Directory Service in the US      May 1996


3.5     Data Security

   A Directory Service with non-authenticated access from the Internet
   is difficult to protect from unauthorized use. Unauthorized use being
   defined by each organization within the directory purpose statement.
   Typical misuse being by individuals who attempt to duplicate the
   directory for unauthorized purposes. Other security measures include:
   Access Control Lists (ACLs), limitations on number of entries
   returned to a query, and time to search flags. The result of such
   controls will affect the legitimate user as well as the user they are
   intended to block.

   An alternative that may provide protection from misuse is to create
   and display an attribute with each entry stating non-approved usage.
   This feature will also provide evidence of restricted use in the
   event that a legal case is necessary to stop unauthorized access.

   The responsibility again falls on the data provider/implementor of
   the directory service. Astute programmers will create or make use of
   existing tools to protect against data destruction, falsification,
   and misuse.

3.6     Conclusions

   User Rights, Data Integrity and Protection of data should not be
   considered merely in an effort to abide by legal rulings; they should
   be the intention of a good data source. A successful Directory
   Service must be aware of the requirements of those individuals
   inclusive in the list as well as those of the directory users.

   In general, at the minimum the following conditions should be
   observed:

        1. Define the purpose of the Directory.
        2. Initially inform all registrants of their inclusion in
           a Directory.
        3. Prevent the use of data beyond the stated purpose.
        4. Limit the attributes associated to an entry within
           boundaries of the purpose.
        5. Work towards a suitable level of security.
        6. Develop a mechanism to correct/remove faulty data
           or information that should not be in the Directory.









Jennings                     Informational                     [Page 10]

RFC 1943     Building an X.500 Directory Service in the US      May 1996


4.0     Infrastructure

4.1     Introduction

   The White Pages Project, currently operated by Performance Systems
   International (PSI) provides a reliable QUIPU infrastructure for
   sites wishing to provide their own X.500 directory. Started in 1989
   as the NYSERNet White Pages Pilot Project it was the first
   production-quality field test of the Open Systems Interconnection
   (OSI) technology running on top of TCP/IP suite of protocols [7].
   This pilot X.500 Directory, provided a real-time testbed for a
   variety of administrative and usage issues that arise. Today, more
   than 30 countries participate in the globally distributed project
   with over 1 million entries. The White Pages pilot is one of 37 other
   pilots cooperating to provide information in the Nameflow-PARADISE
   directory; an European project.

   Initially the software was public domain, QUIPU X.500 [8]. This
   "shareware" application in conjunction with administrative services
   provided free of charge by PSI, allowed for a truly distributed X.500
   Directory Service to operate.

   In keeping with the Internet rules of operation, the lack of the US
   regulations, the suggestions of North American Directory Forum and
   the Internet Engineering Task Force (IETF), the complications that
   arise from multi-distributed data as a service can be overwhelming.
   PSI took on the challenge to provide such a service, and continues to
   ensure operations today.

4.2     A Well Maintained Infrastructure

   This distributed information service involves the cohesive effort of
   all of the participating organizations. The ISO Development
   Environment (ISODE) implementation of the OSI Directory, provided the
   attributes and uniformity to facilitate this effort.

   The primary DSA for the PSI Project is named Alpaca. Operating on a
   Sun Sparc 10 with 120 megabytes of memory, this host serves as the
   Master for the DSAs of 117 organizations under c=US. Redundancy for
   Alpaca is provided by two sources, Fruit Bat operated by PSI and Pied
   Tamarin operated by the InterNIC. Slave updates to this host are
   provided on a nightly basis from the individual DSAs.

   The data presentation is hierarchical in nature and emulates the
   common white pages telephone book. The information provided contains
   at minimum: a common name, voice phone listing, and electronic mail
   addressing. Each entry has a uniqueness associates with it; the
   relative distinguished name which is comprised of the entire



Jennings                     Informational                     [Page 11]