rfc1943.txt

著名的RFC文档,其中有一些文档是已经翻译成中文的的.


RFC 1943     Building an X.500 Directory Service in the US      May 1996


   directory information tree. The DITs may vary slightly, but each must
   contain an organization, and a person. The nature of the directory
   and the structure of the actual organization for whom the directory
   is being provided contribute to the overall DIT structure. The
   following is a list of commonly used attributes:

commonName      physicalDeliveryOfficeName      stateOrProvinceName
description     photo                           streetAddress
userid          postOfficeBox                   surname
favouriteDrink  postalAddress                   telephoneNumber
title           rfc822Mailbox                   facsimileTelephoneNumber

4.3     DUA Interfaces for End Users

   There are a variety of user interfaces on the market today that will
   provide Directory User Agent access to the X.500 Directory. Standard
   protocols such as fred, whois, whois++, finger, are used widely.
   Interfaces are also available via World-wide Web browsers and
   electronic mail.

   Vendors providing DUAs include ISODE Consortium, NeXor, and Control
   Data Corporation. These applications operate in conjunction with the
   vendor provided DSAs.

   Historically DUA interfaces were difficult to implement and required
   the entire OSI stack. Implementing such a product on a PC or Apple
   platform required skillful programming. The executable for these
   platforms were usually very large. The IETF has since defined and
   standardized the Lightweight Directory Access Protocol (LDAP) [11]; a
   protocol for accessing on-line Directory services which offers
   comparable functionality to the Directory Access Protocol (DAP). It
   runs directly over TCP and is used by nearly all X.500 clients. LDAP
   does not have the overhead of the various OSI layers and runs on top
   of TCP/IP.

   The functionality varies by specific DUA. Each offers access to the
   X.500 Directory. Most offer the ability to make modifications to
   entries. There are a few that offer Kerberos authentication.

   Further information on LDAP clients for specific platforms can be
   found on the University of Michigan WWW server:
   http://www.umich.edu/~rsug/ldap.

   Another interface that has been tested and recommended for users by
   our Dutch (Surfnet) colleagues is Directory Enquiry (DE). Originally
   developed by University College London for the Paradise project in
   Europe, the engineers at Surfnet have selected DE as the best
   interface for "dumb" terminals. They have also translated the



Jennings                     Informational                     [Page 12]

RFC 1943     Building an X.500 Directory Service in the US      May 1996


   interface into Dutch for their local users [12].

   Ideally, users should be able to access X.500 directly from their
   electronic mail applications. Vendors (other than the ones mentioned
   above) have been slow to incorporate the X.500 Standards into their
   electronic mail applications.

5.0     Datamanagement & Pilot Projects

5.1     Simple Internet White Pages Service

   A wide variety of directory services retrieval protocols has emerged
   in the time since the original Internet White Pages was begun in
   1989. To ensure that decentralized implementations will have
   interoperability with other providers, the IETF Integrated Directory
   Services Working Group, is working to create a draft focusing on the
   common information and operational modeling issues to which all
   Internet White Pages Services (IWPS) must conform to.

   Utilizing current information servers, the conceptual model described
   includes issues regarding naming, schema, query and response issues
   for a narrowly defined subset of directory services. The goal of this
   paper is to establish a simple set of information objects, coupled
   with a basic set of process requirements that will form a basis which
   can lead to ubiquitous IWPS. With this goal in mind, it will be
   easier to proved a consistent User view of the various directory
   services.

5.2     InterNIC

   The InterNIC [9] is a collaborative project of two organizations
   working together to offer the Internet community a full scope of
   network information services. Established in January 1993 by the
   National Science Foundation, the InterNIC provides registration
   services and directory and database services to the Internet.
   (Internet a global network of more than 13,000 computers networks,
   connecting over 1.7 million computers and used by an estimated 13
   million people.) In keeping up with the exponential growth of the
   Internet, the InterNIC provides a guide to navigate the maze of
   available resources.

   InterNIC provides two types of services; InterNIC directory and
   database services and registration services. AT&T provides the
   directory and database services, acting as the pointer to numerous
   resources on the network offering X.500 to help users easily locate
   other users and organizations on the Internet.





Jennings                     Informational                     [Page 13]

RFC 1943     Building an X.500 Directory Service in the US      May 1996


5.3     ESnet

   The Energy Sciences Network [10], is a nationwide computer data
   communications network whose primary purpose is support multiple
   program, open scientific research. As part of this support, ESnet
   offers networking services including information access and
   retrieval, directory services, group communications series, remote
   file access services and infrastructure services. As a early member
   of the White-Pages Pilot Project, ESnet continues to be a part of the
   worldwide distributed directory service based on the ISO/OSI X.500
   standard. There are over nineteen ESnet organization represented in
   the directory, comprising over 120,000 entries. ESnet provides access
   to seven other sites via the X.500 DSAs.

6.0     Recommendations

6.1     General

   The X.500 Directory technology is available through several options.
   Vendors can provide consultation for schema design as well as supply,
   install, and support the software to perform the operations required.
   For smaller organizations or companies who do not want to administer
   their own DSA, there are providers available who will maintain the
   DSAs remotely and provide this service to the Internet. Those with
   network and management expertise, can either operate independently or
   join one of several white pages directory projects. Careful
   consideration must be given to the initial investment required and
   the required maintenance process.

6.2     Getting Started

   Successful initialization of a directory service requires a
   systematic approach. The complexity of offering this type of service
   becomes more apparent as implementation progresses. Several aspects
   must be considered as this service becomes a cooperative effort among
   the technical, administrative, organizational, and legal disciplines.
   Procedures must be defined and agreed to at the initial phase of
   implementing an X.500 Directory service [13].  The following are
   issues that should be addressed in these procedures.

6.3     Who are the Customers?

   Defining the customer and the customer requirements will determine
   the scope of service to offer. What is the primary purpose for the
   directory service? A company may find it desirable to do away with a
   paper directory while simultaneously providing the current directory
   information. The directory may be for internal use only or expanded
   to any users with Internet access. Will the customer use the



Jennings                     Informational                     [Page 14]

RFC 1943     Building an X.500 Directory Service in the US      May 1996


   directory for e-mail address only or is other locational information
   such as postal address and telephone number a requirement?

   The directory may provide information to electronic customers such as
   distributed computing applications as well. In this case, the data
   must be provided in machine readable format.

   Will the customers extend across country boundaries? Information may
   be considered private by one country and not by another. It is
   necessary to be aware of the legalities and restrictions for the
   locality using the data.  Some counties have published a Code of
   Conduct with the IETF, explicitly stating the legal restrictions on
   directory and list data. Check the archives to determine if the
   country with whom information will be shared has presented such
   information.

6.4     What are the contents of the Directory?

   The information presented in the directory is tightly coupled with
   the purpose. If the purpose is to provide addressing information for
   individuals, then customary information would include: Name, address,
   phone, e-mail address, facsimile number, pager, etc. If the use of
   the directory is to facilitate electronic mail routing then the
   destination mail address needs to be included for each user. No other
   information should be presented in the directory if it is not
   directly related to the purpose.

   If the directory is internal only, it may be desirable to include the
   registrants title as well. Remember that information available on the
   Internet is generally open to anyone who wants to access it.
   Individuals wishing to target a specific market may access
   directories to create customer mailing lists.

   The structure or schema of the X.500 Directory must be an initial
   consideration. Will the hierarchy follow the company structure or is
   a different approach more practical? How many entries will there be
   in the directory five or 50,000? A complex hierarchyfor thousands of
   users may affect the efficiency of queries.

6.5     What are the rights of the individuals?

   The subjects included in the directory shall have well defined
   rights.  These may be mandated by company policy, legal restrictions,
   and the ultimate use of the directory. For a basic Internet White
   Pages Service these rights may include:






Jennings                     Informational                     [Page 15]

RFC 1943     Building an X.500 Directory Service in the US      May 1996


        1. the option of inclusion in the directory
        2. the right of access to the information
        3. the right to have inaccurate entries corrected

   The terms and conditions for employees of an organization may affect
   these rights. On becoming an employee of any organization, an
   individual inevitably agrees to forego certain personal privacies and
   to accept restrictions.

   Every organization should develop and publish the "rights" that can
   be expected by the list registrants.

6.6     Data Integrity

   Information that needs to be included in the directory may come from
   various sources. Demographic information may originate from the human
   resources department. Electronic mail addresses may be provided by
   the computer network department. To guarantee data integrity, it is
   advised that the data be identified and maintained as corporate
   information.

   The required timeliness of the data is unique for each DSA. Updates
   to the data may be a frequent as once a day or once a month. Updates
   to the data must be provided on a regular basis. In cases where data
   is time sensitive, an attribute should be included to display the
   most recent maintenance date.

   A regular check for data accuracy should be included in the directory
   administration. Faulty information may put an organization in breach
   of any data protection laws and possibly render the company as
   unreliable.

6.7     Data Security

   Securing networked information resources is inherently complex.
   Attempts must be made to preserve the security of the data. These may
   include access control lists (ACLs), limiting the number or responses
   allowed to queries, or internal/external access to the directory.

   The 1993 recommendations have added a complex access control model
   that is designed to tightly restrict the access that users may have
   to the information in the Directory. Local protection is configured
   by the implementor. A secure X.500 Directory should provide tools to
   protect against destruction, falsification, and loss of data.

   There is not a tool yet that will protect against the misuse of data.
   There are flags and limits that can be set from within the
   application that will serve somewhat as a barrier to such unwanted



Jennings                     Informational                     [Page 16]

RFC 1943     Building an X.500 Directory Service in the US      May 1996


   use. Any restrictions however, also will affect the legitimate users.
   One suggestion is to post a notice of illegitimate use within each
   entry. This of course will only serve as a deterrent and as an asset
   should legal action be required.

   Again, caution must be taken when transferring data between country
   and state borders. In the US data regulations differ from state to
   state.

6.8     Data Administration

   The decentralized nature of the X.500 Directory service means that
   each organization has complete control over the data. As part of a
   global service however, it is important that the operation of the DSA
   be monitored and maintained in a consistent manner. Authorization
   must be given to the local manager of the information and in some
   cases, the subjects included in the directory may also have
   modification privileges.

   Once the service is running, the importance of guaranteed operation
   can not be overstated. Maintenance of the local Directory will be an
   integral part of normal administrative procedures within the
   organization and must be defined and agreed upon in the initial
   stages of development.