[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: evaluation: draft-legg-ldapext-component-matching

To: hardie@qualcomm.com
Subject: Re: evaluation: draft-legg-ldapext-component-matching
From: "Steven M. Bellovin" <smb@research.att.com>
Date: Wed, 25 Jun 2003 20:00:37 -0400
Cc: iesg-secretary@ietf.org, iesg@ietf.org

In message <p06001205bb1fdb74c1ee@[129.46.227.161]>, hardie@qualcomm.com writes
:
>Steve,
>	I think this draft takes a slightly different road
>than RFC 3454-style stringprep.  The way I look at it, stringprep
>profiles define a set of steps which must be taken in order
>to correctly store a string or compare two strings
>within a particular protocol context (from section 1.2 of
>RFC 3454).  In a sense, it provides a set of mechanisms
>that allow you to manipulate a set of data so that well-known
>matching rules can be safely (and simply) applied.
>	This draft takes the other direction--it leaves
>the data as is, but uses generic matching rules against
>user-identified component parts to allow for
>arbitrarily complex attribute matching.  Some of those
>generic matching rules relate to string matching (section
>4.2.1.1 has a list), but they derive from types set up
>in draft-legg-gser-abnf, which has both ABNF and
>ASN.1 definitions for them.  While stringprep profiles
>could be used in the definitions of some of the generic
>matching rules, I am not sure it is the right fit, since
>the actual matches won't fit within the basic stringprep
>theory.
>	If there are more particular problems you have
>specific string matching profiles, let me know.  Also,
>both Harald and Russ have extensive experience here
>(certainly much more than mine), and I'd be happy to
>have their opinion on how this fits.

I'd like such input, too; any time I comment on this area, I'm skating 
on very thin ice indeed.  However, on rereading 4.2.1.1 I suspect that 
there really is an issue.  If I understand 3454 correctly, you can't 
even properly compare for equality without normalization.  Consider the 
case of an LDAP phone book, where one person prepares the entry -- and 
hence implicitly selects the software used to encode a person's name -- 
while another person queries the phone book, using entirely different 
software.  Without some definition, the proper entry may fail to match.

But as I said, I'm on very shakey ground when I comment on this stuff.


		--Steve Bellovin, http://www.research.att.com/~smb (me)
		http://www.wilyhacker.com (2nd edition of "Firewalls" book)

Prev by Date: Re: evaluation: draft-legg-ldapext-component-matching
Next by Date: Re: Evaluation: draft-ietf-enum-rfc2916bis - The E.164 to URIDDDS Application (ENUM) to Proposed Standard
Previous by thread: Re: evaluation: draft-legg-ldapext-component-matching
Next by thread: Evaluation: draft-legg-ldapext-component-matching
Index(es):
- Date
- Thread