RFC 2120 (rfc2120) - Page 2 of 14
Managing the X
Alternative Format: Original Text Document
RFC 2120 Managing the X.500 Root Naming Context March 1997 Table of Contents 1 Introduction............................................. 2 2 Migration Plan........................................... 3 3 Technical Solutions...................................... 3 4 The Fast Track Solution.................................. 4 5 The Slower Track Solution................................ 6 6 The Long Term Solution................................... 7 7 Security Considerations.................................. 8 8 Acknowledgments.......................................... 9 9 References............................................... 9 10 Author's Address........................................ 10 Annex 1 Solution Text of Defect Reports submitted to ISO/ITU- T by the UK........................................... 11 Annex 2 Defect Report on 1993 X.500 Standard for Adding full ACIs to DISP for Subordinate References, so that Secure List Operation can be performed in Shadow DSAs. 12 Annex 3 Defect Report on 1997 X.500 Standard Proposing an Enhancement to the Shadowing Agreement in order to support 1 Level Searches in Shadow DSAs............... 14 1 Introduction The NameFLOW-Paradise service has a proprietary way of managing the set of first level DSAs and the root naming context. There is a single root DSA (Giant Tortoise) which holds all of the country entries, and the country entries are then replicated to every country (first level) DSA and other DSAs by Quipu replication [RFC 1276] from the root DSA. In June 1996 there were 770 DSAs replicating this information over the Internet. The root DSA is not a feature of the X.500 Standard [X.500 93]. It was introduced because of the non- standard nature of the original Quipu knowledge model (also described in RFC 1276). However, it does have significant advantages both in managing the root naming context and in the performance of one-level Searches of the root. Performance is increased because each country DSA holds all the entry information of every country. By comparison, the 1988 X.500 Standard root context which is replicated to all the country DSAs, only holds knowledge information and a boolean (to say if the entry is an alias or not) for each country entry. This is sufficient to perform an insecure List operation, but not a one-level Search operation. When access controls were added to the 1993 X.500 Standard, the root context information was increased (erroneously as it happens - this is the subject of defect report 140 - see Annex 1) to hold the access controls for each country entry, but a note in the X.500 Standard restricted its use to the List operation, in order to remain compatible with the 1988 edition of the X.500 Standard. Chadwick Experimental
