Editor's Note: Minutes received 8/12 CURRENT_MEETING_REPORT_ Reported by Steve Hardcastle-Kille/UCL, Doug Simmons/IBM and Justin Walker/Apple Minutes of the OSI Directory Services Working Group (OSIDS) Comments on Agenda Mark Knopper sent apologies for non-attendance and then turned up. Here follow comments on the Minutes from San Diego (OSI-DS-MINUTES 7), particularly relating to action items from that meeting: o Regarding maintenance of RFC-1274, it is Steve and Paul Barker who will be involved, not Colin as the Minutes claimed. o Eric Huizer's strategy document is ready (comments will be made later in the Minutes). o Chris's documents (OSI-DS 14, 16, 17, 19) have not been revised. This will be done by the next meeting. Mark Knopper has taken up the network schema. o Documents OSI-DS-12, 23, 24 have been revised and submitted to the IESG. As suggested in the previous meeting, Steve Hardcastle-Kille read NADF 175 (which has been revised to NADF-(***Didn't get the reference***). He cleared up some misconceptions regarding he NADF position, but overall, his position did not change from the last meeting. o Wengyik continued to work on interoperability issues. However, he had no input, since he was not present. o There will be a NADF meeting next week (that is, the week of 7/20). o The QOS experiments will be discussed as indicated in the Agenda. o The JPEG schema was reviewed. However, the Schema group had not yet formed, so this item was continued. Paul Barker was to establish the schema group, but this had not done this because of overload due to Steve's departure to the ISODE Consortium. Resources were requested (volunteers were solicited; no response was heard from Russ and Mark). o The Character Set experiment wasn't discussed because Geir Pederson wasn't present. The action was continued. o Tim Howes brought us up to date on the DIT Counting effort. The code has been written, and will appear in the next ISODE Consortium 1 release of QUIPU. The item was continued. o Work on schema publishing was completed and will be discussed later. o The action item on preferred names was continued (no one was present to speak on the subject). o Steve H-K finished the revision of RFC-1279 , with Wengyik consulting. The paper has not actually been updated (in its electronic form). It will be circulated. o The lightweight protocol note (LDAP) was revised and circulated. o Steve Hardcastle-Kille looked into possible ISO alternatives to SOS (the Simple OSI Stack). There are no current ISO proposals addressing the SOS issues, but John Day (from BBN) has circulated a document (in OSI circles) on the OSI upper layers. Reviews are not complete, but this document does not seem to be an answer. There were no Matters Arising. We therefore moved right into the liaison reports. 1. RARE (Eric Huizer) As reported at the last meeting, WG3 is no more. The new RARE structure has eight Working Groups, of which one, WGNAP (the Working Group for Network Application support), will undertake directory services (as well as time protocols, etc.). A major problem is that, while a Chair has been identified and wants to undertake the work, he can't get permission to do the job. WGNAP hopes to meet in November. A distribution list has been set up for other than directory service issues. WGNAP will continue to use OSI-DS for its directory service discussions. The Working Group has small budget from RARE, provided they can come up with a priority list of tasks. This could be applied to travel. 2. OSI/CCITT (Ken Rossen) There were two significant events to report. ISO 9594 passed to DIS. The most significant change was in the area of access control (replication and an extended information model). DISP (shadow); DOP (binding) are new protocols. An access control context is a combination of levels of access control. The US pushed successfully for simplified access control: this only allows a decision to be made at administration points (new in model); a decision isn't overridden by lower levels of the tree. As of the last editing meeting, merged text was produced. Unfortunately, the circulated stuff was a mess. There is a good copy, dated 12/25/91 (hence it is called ``the Christmas text''). The second event occurred in May. When ISO SC21 met in Ottawa, the 2 Directory Services Group also met, and changes to the Standard were discussed (with a 2 year target, down from the usual 4). Use of OSI management (CMIP) to manage the directory was put on hold, since the responsible party (from the US) resigned. Work on authentication could be undertaken as there is support for small changes, e.g., certificate revocation. This will wait for the next meeting to commit effort to this work. There was a feeling that there is need for closer work with (ISO) security folks for a more sophisticated security model. Given upper layer security services, there is a need for a scheme to apply to directory services. Also, there is a new edition of ASN-1 encoding rules, which could effect directory. Distinguished encoding rules were introduced that are different from those currently used by the directory. There is need to work out conflicts. This could affect digital signatures. The 1992 X.500/9594 should progress at the next editing meeting in Orlando, in the fall of `92 (this will involve serious cleanup. Rows of ducks will be set up at a US meeting in Nashua this week.). 3. OIW (Russ Wright) The OIW continued work on standardized profiles for DAP, replacing agreements from the OIW and EWOS. They are on schedule for results by the end of year. A joint meeting was held with the X400 SIG to look at MHS and the directory. Their desires right now are unclear, but they will provide a clearer specification. The IGOSS document was reviewed. This is a combined document representing input from GOSIP, the power industry, and the manufacturing industry. This requires `92 directory extensions, including replication. They were asked to review POSIX documents relating to directory services. The documents themselves are in the mail. 4. DISI (Chris Weider) Documents describing advanced directory usage and how to get registered in the directory have been worked on, but not circulated. A revision RFC-1292 has been worked on Four new papers have been prepared: a pilot catalog, a description of DIT setup, the directory naming philosophy, and a schema for restaurant information. 5. AARN Mark Prior There is not much happening at this time. AARN is not willing to commit to further work, nor are they willing to say no to further work. They are waiting for December (***Why?***). There are currently 40000 entries in their directory, and they have just added affiliates. Master and slave machines will be soon be upgraded. 6. NADF (Marshall Rose/Einar Stefferud) The last NADF meeting was in April, the next will be next week (7/20). Discussion of vendor plans at the last meeting was 3 exciting (depressing?). Several documents are available. One provides a naming scheme for a country (discussing principles), and a second provides an application of these principles to the US. A third discusses the theory and practicality of directory security. This latter is up for more debate. There is a desire for simple authentication, but this may be difficult to protect from replay attack. The recommendation may be for protected passwords. The documents should become RFCs (but some can't even seem to be put into the politically *in*correct PostScript format). Marshall will provide copies for Steve Hardcastle-Kille. None of the twelve vendors present supported any but simple authentication. None would commit to supporting `92 extensions (except one who was planning to support the extended information model). In short, things don't seem to be going very well (according to public comment at the meeting. This is born out by Ken's observations at COS). There seems to be more positive support for simplified access control (over the basic version). Ken noted that they think they've fixed NADF complaints. Time was spent at the Ottawa meeting on defect resolution (there is a directory implementor's guide; see Ken). There seems to be some interplay between ISO, NADF. As no pilot project representatives were present, we continued on with the rest of the Agenda. The Naming Guidelines Document, the UFN Document, and the Document Defining String Representation of UFN's. All three were submitted in April to the IESG. They are expected to move forward by end of this month. The Strategy Document. The Strategy document (based on Steve's original) was much modified, based on comments received. Most of the original was retained, but with editing and restructuring. One of the main criticisms was references to other RFCs without indicating the RFC content. Eric's solution was to pull the main points from the RFCs in question, using reference only for detail. He added deployment details and requirements. Therefore, there were a lot of references to DISI papers. The ASCII version (as posted) was quite unreadable. Apologies were tendered, along with a promise to fix it. Comments were requested. One comment at the meeting: a possible extension involving the use of large data values was questioned. The response was that this is only a *possible* extension, not a planned (or required) one. An observation was made that all items in this section (of the document) could be termed controversial. The main point is that the model is not rigid: if deployment experience indicates that a change is needed, it will be addressed. Regarding progress to ID-hood for the strategy document, the approval of the other authors is needed. Then an informational RFC can be 4 submitted. Steve Hardcastle-Kille wants to see this done reflecting an IAB/IESG consensus (as was done, e.g., for RFC-920). He wants the submission and publication to reflect IAB policy. It is unclear what the tradition is. It was felt that we should have OSI-DS consensus, so a sense of meeting was taken; there were no votes against the document, but there were a large number of abstentions (from those who had not read it yet). Eric will take changes, publish the new document as an RFC (both text and PS formats), and get it into the IESG stream. The attendees seemed to favor not waiting for the next meeting, given the consensus here (all who had read approved). Eric noted that none of the three documents mentioned earlier showed up on the IESG action list that he gets. This was deemed to be a dropped ball. Eric will follow up to determine how the ball got dropped and assure that it doesn't happen again. Tim Howes: Some comments on the schema document, from Colin Robins (sent by email to the OSI-DS list), were distributed. Given that the schema is rapidly changing, the idea of storing (a description of) the schema in the DIT has been investigated. Tim looked first at the '92 Standard, which was very complicated. The `92 information is in his document, but comments he's received indicate that it (the `92 content) should be pared down. The document talks about representing attribute. information in the directory, although no syntaxes were defined. Although the document says this work will be a subset of `92, Tim doesn't think it really is. We must decide on compatibility with `92 vs. having something ``now''. The question was asked: what are the areas of incompatibility? Among others, there is the attribute syntax, which is difficult to figure out. From Colin: how does one go from an OID to an identification of information it represents? It was noted that an OID tree may be useful by itself, independent of other uses. There is a bootstrap problem with this. The issue is where to find a description of information, and what is the efficiency hit? Using well-known locations in the DIT may avoid a recursive upward walk of the tree. This also assumes a configuration run that tells the DSA what well-known locations to check. The directory doesn't do dynamic interpretations of OIDs. It was observed that ``compatibility w. 92'' and ``something that works'' may not be exclusive. Two actions resulted. The first was to define the OID tree. The second was to revise the schema notes in light of the discussion. Tim took both. QOS Experiments. There was no change from the previous meeting. This work has not been a priority (although there is work ``scheduled'', to be done on Macintosh DUA). Sylvain noted that code that he has seen doesn't match the RFC (which may have changed since he last checked it). Tim wanted this taken off the Agenda, since it isn't a priority. He would like to surprise us with progress when it happens. JPEG. The JPEG attribute is not in the schema, but there is code to 5 handle it in ISODE. Russ would like this to be its end. Proposed to carry over to next time when the schema group is represented (and so it shall be). Character Set. (Geir Pederson was not present): Again, the schema group was an issue. A discussion commenced on how to get this done. IANA was suggested as a source of help. A problem with this is that we would need to find someone with directory experience to take on some editing load. It was recommended that we talk with IANA, then worry about the short-term. Selection of the time and place for the next meeting involved two choices: INTEROP (October in San Francisco), and the next IETF (November in Washington). A vote marginally favored the November IETF meeting, and this was agreed on. DSA and DUA Metrics (OSI-DS33 ,OSI-DS 34) o Measure pilot projects' success. o Deliverables - metrics papers for: - DUAs. - DSAs. - Pilots' metrics. o No absolute measure of goodness or badness of DUAs; there's SOME importance to the numbers, though. Comments on these papers: o Set up an FTP ID to keep the OSI-DS documents in for easy retrieval before these meetings. SEH to address. o DSA Document - need hands-on experience to tell if this document is really worthwhile and accurate. (comment by Eric Huizer). o DUA document - section l2 (query resolution) not very clear what one should enter to initiate the query (comment by Time Howes). o DUA document - 5 steps to enter a query as opposed to on line via UFN. o BOTH - is this a Consumer Reports on DUAs/DSAs? SEH - the user endorsement section contains the necessary feedback for analysis. o BOTH - there were comments from Paul Andre, were they being incorporate? 6 o DSA Document - section 5,need to discuss the environment - how can we measure implementations on different machines? (comment by Tim Howes). o DSA Document - need more than lOO to 5OOO entries for accurate testing (comment by Tim Howes). o DSA Document - need more discussion on security aspects (unknown). o BOTH - metrics will not be useful until they are tried out/tested against (unknown). o BOTH - make measurements available via informational RFC. o DSA Document - other implementations tested besides QUIPU? (comment by Sylvain Langlois) (Pissaro(sp?), ICL, Dirwiz....) o S. Hardcastle-kille: How many of us are responsible for DUA implementations? Would it be worthwhile to make these documents publicly available? SEH to use RFC for informational test until next meeting for feedbacks. E. Huizer To do Siemens DSA. T. Howes/R. Wright Will do DUAs we'll evaluate findings at next meeting. S. Hardcastle-Kille To get these published as RFCs. Everyone To see that these get filled in when DUA's and DSA's tested. o Comment - what's the difference between RFC 1292 and DS 33 and 34? SEH: 33 and 34 much lower level (and more work to fill out) S. Hardcastle-Kille suggested that the vendor be asked if they filled out a 33 or 34 before answering to RFC l292. Representing Network Infrastructure Information in X.5OO (Mark Knopper) Draft circulated. Soft Pages Project (Steve Hardcastle-Kille). o Comment - IP name space: defining an address hierarchy. You really don't need that, what advantage over a flat design? o Comment - Network elements diagram is a network topology. What happens if that changes? (comment by Tim Howes). o Comment - (Mark Hopper). 7 - Not sure if this resolves the problem. - It is too inefficient. - How do you get the bootstrap up and running? o ACTION * - Mark Knopper to document how we might use this (where might the holes be). o Comment - this tree can be kept small just by keeping the DSAs ``near'' you in the DIT, as they are the only ones which should interest you for cost purposes. o Comment - need FTP address for this document (FTP.TOHOKU.AC.JP). o Comment - do we need a Working Group to address this problem? o ACTION* Thomas Johansen and Mark Knopper to reconsider their approaches and attempt some kind of convergence. LDAP (OSI-DS 26, OSI-DS 27) o Comment - kerberos and simple authentication: do we think this is worthwhile and should it be added to the document before it becomes an RFC? (Tim Howes). o S. Hardcastle-Kille: Because it is implemented and deployed, then it should be documented. o Comment - we should submit this to the Standards committee as soon as possible. o Comment - suggestion that we have Christian look at it, as he has strong views on the subject. DSA Naming (OSI-DS l3) o Issue: Avoiding Deadlock. o Comment - the DSA must be named higher in the tree (country level) to prevent deadlock, but you do not insure uniqueness. o Comment - Erik seemed to remember opposition by the Pissaro group, but could not elaborate. o Comment - using subtrees seems to be the way we fix things we can't fix via X.5OO. 8 o ACTION* S. Hardcastle-Kille: To re-write the paper to using non-QUIPU language and references. o Comment - Erik not comfortable, seems like a way to fix a design problem in QUIPU. Need input from other DSA vendors. o ACTION* S. Hardcastle-Kille: To drop this as an OSIDS item and take it up as a design issue with ISODE. Action Items Chris Weider Update OSI-DS 14, 16, 17, 19 (carried forward) E. Huizer Progress Naming Guidelines, DN Syntax, UFN, and LDAP and LDAP Syntaxes as RFCs. Do Siemens DSA. T. Howes/R. Wright Will do DUAs we'll evaluate findings at next meeting. S. Hardcastle-Kille Get these published as RFCs. Everyone to see that these get filled in when DUA's and DSA's tested. M. Knopper To document how we might use this (where might the holes be). T. Johansen/M. Knopper Reconsider their approaches and attempt some kind of convergence. S. Hardcastle-Kille to re-write the paper to using non-QUIPU language and references. Drop this as an OSI-DS item and take it up as a design issue with ISODE. Revise Charter. S. Hardcastle-Kille/E. Huizer Discuss IANA support for Schema Management. T. Howes Write note on representation of OID Trees in Directory. P. Barker Publish Metric Papers as Internet Drafts. S. Sataluri Collect DUA survey results and publish as Internet Draft. 9 Attendees Ed Albrigo ealbrigo@cos.com Claudio Allocchio c.allocchio@elettra.trieste.it C. Allan Cargille cargille@cs.wisc.edu Jodi-Ann Chu jodi@uhunix.uhcc.hawaii.edu James Conklin jbc@bitnic.educom.edu Robert Cooney cooney@wnyose.nctsw.navy.mil Curtis Cox ccox@wnyose.nctsw.navy.mil Urs Eppenberger eppenberger@switch.ch Ray Freiwirth 5242391@mcimail.com Jisoo Geiter geiter@gateway.mitre.org Arlene Getchell getchell@nersc.gov Joan Goldstein j_goldstein@tnpubs.enet.dec.com Steve Hardcastle-Kille s.kille@isode.com John Hawthorne johnh@tigger.rl.af.mil Tim Howes Tim.Howes@umich.edu. Erik Huizer huizer@surfnet.nl Takashi Ikemoto tikemoto@xerox.com Kevin Jordan kej@udev.cdc.com Jim Knowles jknowles@trident.arc.nasa.gov Sylvain Langlois Sylvain.Langlois@der.edf.fr Thomas Lenggenhager lenggenhager@switch.ch John McKenna mckenna@ralvm12.vnet.ibm.com John Murray murray@premenos.sf.ca.us Mark Needleman mhn@stubbs.ucop.edu William Nichols nichols@wick.enet.dec.com Eric Nowak nowak@ans.net Rakesh Patel rapatel@hardees.rutgers.edu Mark Prior mrp@itd.adelaide.edu.au Sheri Repucci smr@merit.edu Jim Romaguera romaguera@cosine-mhs.switch.ch Marshall Rose mrose@dbc.mtview.ca.us Rich Rosenbaum rosenbaum@lkg.dec.com Kenneth Rossen kenr@isc.com Srinivas Sataluri sri@qsun.att.com Douglas Simmons Mark Smithmcs@umich.edu Einar Stefferud stef@nma.com Panos-Gavriil Tsigaridas tsigaridas@fokus.berlin.gmd.dbp.de Justin Walker justin@apple.com William Warner warner@ohio.gov Chris Weider clw@merit.edu Brien Wheeler blw@mitre.org Scott Williamson scottw@nic.ddn.mil Steven Winnett swinnett@bbn.com Russ Wright wright@lbl.gov Yung-Chao Yu yy@qsun.att.com 10