2 draft-legg-ldap-transfer-03.txt Adacel Technologies
3 Intended Category: Standards Track 16 June 2004
7 Lightweight Directory Access Protocol (LDAP):
8 Transfer Encoding Options
10 Copyright (C) The Internet Society (2004). All Rights Reserved.
15 This document is an Internet-Draft and is in full conformance with
16 all provisions of Section 10 of RFC2026.
18 Internet-Drafts are working documents of the Internet Engineering
19 Task Force (IETF), its areas, and its working groups. Note that
20 other groups may also distribute working documents as
23 Internet-Drafts are draft documents valid for a maximum of six months
24 and may be updated, replaced, or obsoleted by other documents at any
25 time. It is inappropriate to use Internet-Drafts as reference
26 material or to cite them other than as "work in progress".
28 The list of current Internet-Drafts can be accessed at
29 http://www.ietf.org/ietf/1id-abstracts.txt
31 The list of Internet-Draft Shadow Directories can be accessed at
32 http://www.ietf.org/shadow.html.
34 This document is intended to be, after appropriate review and
35 revision, submitted to the RFC Editor as a Standard Track document.
36 Distribution of this document is unlimited. Technical discussion of
37 this document should take place on the IETF LDAP Revision Working
38 Group (LDAPbis) mailing list <ietf-ldapbis@openldap.org>. Please
39 send editorial comments directly to the editor
40 <steven.legg@adacel.com.au>.
42 This Internet-Draft expires on 16 December 2004.
47 Each attribute stored in a Lightweight Directory Access Protocol
48 (LDAP) directory has a defined syntax (i.e., data type). A syntax
52 Legg Expires 16 December 2004 [Page 1]
54 INTERNET-DRAFT LDAP: Transfer Encoding Options June 16, 2004
57 definition specifies how attribute values conforming to the syntax
58 are normally represented when transferred in LDAP operations. This
59 representation is referred to as the LDAP-specific encoding to
60 distinguish it from other methods of encoding attribute values. This
61 document introduces a new category of attribute options, called
62 transfer encoding options, which can be used to specify that the
63 associated attribute values are encoded according to one of these
108 Legg Expires 16 December 2004 [Page 2]
110 INTERNET-DRAFT LDAP: Transfer Encoding Options June 16, 2004
115 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
116 2. Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . 3
117 3. Transfer Encoding Options. . . . . . . . . . . . . . . . . . . 4
118 4. Defined Transfer Encoding Options. . . . . . . . . . . . . . . 5
119 5. Attributes Returned in a Search. . . . . . . . . . . . . . . . 6
120 6. Syntaxes Requiring Binary Transfer . . . . . . . . . . . . . . 7
121 7. Security Considerations. . . . . . . . . . . . . . . . . . . . 7
122 8. IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 8
123 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9
124 9.1. Normative References . . . . . . . . . . . . . . . . . . 9
125 9.2. Informative References . . . . . . . . . . . . . . . . . 10
126 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 10
127 Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 10
131 Each attribute stored in a Lightweight Directory Access Protocol
132 (LDAP) directory [ROADMAP] has a defined syntax (i.e., data type)
133 which constrains the structure and format of its values.
135 The description of each syntax [SYNTAX] specifies how attribute or
136 assertion values [MODELS] conforming to the syntax are normally
137 represented when transferred in LDAP operations [PROT]. This
138 representation is referred to as the LDAP-specific encoding to
139 distinguish it from other methods of encoding attribute values.
141 This document introduces a new category of attribute options
142 [MODELS], called transfer encoding options, that allow attribute and
143 assertion values to be transferred using an alternative method of
144 encoding. This document defines several transfer encoding options
145 which can be used in an attribute description [MODELS] in an LDAP
146 operation to specify that the associated attribute values or
147 assertion value are, or are requested to be, encoded according to
148 specific Abstract Syntax Notation One (ASN.1) [X680] encoding rules,
149 instead of the usual LDAP-specific encoding. One option in
150 particular allows Extensible Markup Language (XML) [XML] encodings.
154 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
155 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
156 document are to be interpreted as described in BCP 14, RFC 2119
159 This specification makes use of definitions from the XML Information
160 Set (Infoset) [ISET]. In particular, information item property names
164 Legg Expires 16 December 2004 [Page 3]
166 INTERNET-DRAFT LDAP: Transfer Encoding Options June 16, 2004
169 are presented per the Infoset, e.g., [local name].
171 3. Transfer Encoding Options
173 Transfer encoding options enable attribute and assertion values to be
174 transferred using an alternative method of encoding to the default
175 LDAP-specific encoding. In fact, some attribute and assertion
176 syntaxes do not have a defined LDAP-specific encoding in which case
177 the only way values of those syntaxes can be transferred is by using
178 an alternative encoding.
180 The binary option [BINARY] is not formally regarded as a transfer
181 encoding option, though it has much in common with transfer encoding
182 options. The requirements governing the use of transfer encoding
183 options do not apply to the binary option. The requirements
184 governing the use of the binary option are described elsewhere
187 In terms of the protocol [PROT], a transfer encoding option specifies
188 that the contents octets of an associated AttributeValue or
189 AssertionValue OCTET STRING are a complete encoding of the relevant
190 value according to the encoding method specified by the option.
192 Where a transfer encoding option is present in an attribute
193 description the associated attribute values or assertion value MUST
194 be encoded according to the encoding method corresponding to the
195 option. Note that it is possible for a syntax to be defined such
196 that its LDAP-specific encoding is exactly the same as its encoding
197 according to some transfer encoding option (e.g., the LDAP-specific
198 encoding might be defined to be the same as the BER encoding).
200 Transfer encoding options are mutually exclusive. An attribute
201 description SHALL NOT contain more than one transfer encoding option,
202 and SHALL NOT contain both a transfer encoding option and the binary
205 Transfer encoding options are not tagging options [MODELS] so the
206 presence of a transfer encoding option does not specify an attribute
207 subtype. An attribute description containing a transfer encoding
208 option references exactly the same attribute as the same attribute
209 description without the transfer encoding option. The
210 supertype/subtype relationships of attributes with tagging options
211 are not altered in any way by the presence or absence of transfer
214 An attribute description SHALL be treated as unrecognized if it
215 contains a transfer encoding option and the syntax of the attribute
216 does not have an associated ASN.1 type [SYNTAX], or if the nominated
220 Legg Expires 16 December 2004 [Page 4]
222 INTERNET-DRAFT LDAP: Transfer Encoding Options June 16, 2004
225 encoding is not supported for that type.
227 The presence or absence of a transfer encoding option only affects
228 the transfer of attribute and assertion values in protocol; servers
229 store any particular attribute value in a single format of their
232 4. Defined Transfer Encoding Options
234 The attribute option string "transfer-ber" specifies that the
235 associated attribute values or assertion value are (to be) encoded
236 according to the Basic Encoding Rules [X690] of ASN.1. This option
237 is similar to the binary option [BINARY], however servers are more
238 restricted in when they can use "transfer-ber" which leads to more
239 predictability in the results returned to clients who request
242 The attribute option string "transfer-der" specifies that the
243 associated attribute values or assertion value are (to be) encoded
244 according to the Distinguished Encoding Rules [X690] of ASN.1.
246 The attribute option string "transfer-gser" specifies that the
247 associated attribute values or assertion value are (to be) encoded
248 according to the Generic String Encoding Rules (GSER) [RFC3641].
250 The attribute option string "transfer-rxer" specifies that the
251 associated attribute values or assertion value are (to be) encoded as
252 an XML document [XML]. The [local name] of the [document element] of
253 the document information item representing the associated value SHALL
254 be the identifier of the NamedType [X680] in the LDAP ASN.1
255 specification [PROT] defining the associated attribute value or
256 assertion value, or "item" if the associated value isn't in a
257 NamedType. This means:
259 - for an AttributeValue the identifier is "value" in every case,
261 - for an AssertionValue in an AttributeValueAssertion the identifier
264 - for an AssertionValue in a SubstringFilter the identifier is
265 "initial", "any" or "final", as appropriate,
267 - for an AssertionValue in a MatchingRuleAssertion the identifier is
270 The [namespace name] of the [document element] SHALL have no value.
271 The content of the [document element] is the Robust XML Encoding
272 Rules (RXER) [RXER] encoding of the associated attribute or assertion
276 Legg Expires 16 December 2004 [Page 5]
278 INTERNET-DRAFT LDAP: Transfer Encoding Options June 16, 2004
281 value. Note that the enclosing element for the RXER encoding has the
282 form it would take in an XLDAP operation [XLDAP].
284 Note that, like all attribute options, the strings representing
285 transfer encoding options are case insensitive.
287 All future registrations of option strings for transfer encoding
288 options should use the "transfer-" prefix so that LDAP clients and
289 servers can recognize that an option is a transfer encoding option
290 even though the particular encoding rules may be unrecognized.
292 5. Attributes Returned in a Search
294 An LDAP search request [PROT] contains a list of the attributes (the
295 requested attributes list) to be returned from each entry matching
296 the search filter. An attribute description in the requested
297 attributes list also implicitly requests all subtypes of the
298 attribute type in the attribute description, whether through
299 attribute subtyping or attribute tagging option subtyping [MODELS].
301 The requested attributes list MAY contain attribute descriptions with
302 a transfer encoding option, but MUST NOT contain two attribute
303 descriptions with the same attribute type and the same tagging
304 options (even if only one of them has a transfer encoding option). A
305 transfer encoding option in an attribute description in the requested
306 attributes list implicitly applies to the subtypes of the attribute
307 type in the attribute description.
309 If the list of attributes in a search request is empty, or contains
310 the special attribute description string "*", then all user
311 attributes are requested to be returned.
313 In general, it is possible for a particular attribute to be
314 explicitly requested by an attribute description and/or implicitly
315 requested by the attribute descriptions of one or more of its
316 supertypes. In such cases the effective transfer encoding being
317 requested for a particular attribute is determined by the transfer
318 encoding option (or lack thereof) in the most specific attribute
319 description in the requested attributes list that applies to the
322 An applicable attribute description with an actual attribute type is
323 more specific than the special attribute description string "*".
325 If the attribute type of one applicable attribute description is a
326 direct or indirect subtype of the attribute type in another
327 applicable attribute description then the former attribute
328 description is more specific than the latter attribute description.
332 Legg Expires 16 December 2004 [Page 6]
334 INTERNET-DRAFT LDAP: Transfer Encoding Options June 16, 2004
337 If two applicable attribute descriptions have the same attribute type
338 and the tagging options of one attribute description are a superset
339 of the tagging options of the other attribute description then the
340 former attribute description is more specific than the latter
341 attribute description.
343 Attributes MUST either be returned in the effective transfer encoding
344 requested, be returned with no attribute values, or be omitted from
345 the results. An attribute SHALL NOT be returned using an encoding
346 other than the effective transfer encoding requested.
348 Regardless of the encoding chosen, a particular attribute value is
349 returned at most once.
351 6. Syntaxes Requiring Binary Transfer
353 Certain syntaxes are required to be transferred in the BER encoded
354 form. These syntaxes are said to have a binary transfer requirement.
355 The Certificate, Certificate List, Certificate Pair and Supported
356 Algorithm syntaxes [PKI] are examples of syntaxes with a binary
357 transfer requirement. These syntaxes also have an additional
358 requirement that the exact BER encoding must be preserved. Note that
359 this is a property of the syntaxes themselves, and not a property of
360 the binary option or any of the transfer encoding options.
362 Transfer encoding options SHALL take precedence over the requirement
363 for binary transfer. For example, if the effective transfer encoding
364 requested is say "transfer-gser", then attribute values of a syntax
365 with a binary transfer requirement will be GSER encoded. In the
366 absence of a transfer encoding option the normal rules on binary
367 transfer and the use of the binary option SHALL apply.
369 7. Security Considerations
371 There is a requirement on some attribute syntaxes that the exact BER
372 encoding of values of that syntax be preserved. In general, a
373 transformation from the BER encoding into some other encoding (e.g.,
374 GSER) and back into the BER encoding will not necessarily reproduce
375 exactly the octets of the original BER encoding.
377 Applications needing the original BER encoding to be preserved, e.g.,
378 for the verification of digital signatures, MUST NOT request
379 attributes with such a requirement using a transfer encoding option.
380 These attributes MUST be requested explicitly or implicitly with the
381 binary option, or implicitly without the binary option (or any
382 transfer encoding option).
384 When interpreting security-sensitive fields, and in particular fields
388 Legg Expires 16 December 2004 [Page 7]
390 INTERNET-DRAFT LDAP: Transfer Encoding Options June 16, 2004
393 used to grant or deny access, implementations MUST ensure that any
394 matching rule comparisons are done on the underlying abstract value,
395 regardless of the particular encoding used.
397 8. IANA Considerations
399 The Internet Assigned Numbers Authority (IANA) is requested to update
400 the LDAP attribute description option registry [BCP64] as indicated
401 by the following templates:
404 LDAP Attribute Description Option Registration
405 Option Name: transfer-ber
406 Family of Options: NO
407 Person & email address to contact for further information:
408 Steven Legg <steven.legg@adacel.com.au>
409 Specification: RFC XXXX
410 Author/Change Controller: IESG
414 LDAP Attribute Description Option Registration
415 Option Name: transfer-der
416 Family of Options: NO
417 Person & email address to contact for further information:
418 Steven Legg <steven.legg@adacel.com.au>
419 Specification: RFC XXXX
420 Author/Change Controller: IESG
424 LDAP Attribute Description Option Registration
425 Option Name: transfer-gser
426 Family of Options: NO
427 Person & email address to contact for further information:
428 Steven Legg <steven.legg@adacel.com.au>
429 Specification: RFC XXXX
430 Author/Change Controller: IESG
434 LDAP Attribute Description Option Registration
435 Option Name: transfer-rxer
436 Family of Options: NO
437 Person & email address to contact for further information:
438 Steven Legg <steven.legg@adacel.com.au>
439 Specification: RFC XXXX
440 Author/Change Controller: IESG
444 Legg Expires 16 December 2004 [Page 8]
446 INTERNET-DRAFT LDAP: Transfer Encoding Options June 16, 2004
453 9.1. Normative References
455 [KEYWORD] Bradner, S., "Key words for use in RFCs to Indicate
456 Requirement Levels", BCP 14, RFC 2119, March 1997.
458 [BCP64] Zeilenga, K., "Internet Assigned Numbers Authority (IANA)
459 Considerations for the Lightweight Directory Access
460 Protcol (LDAP)", BCP 64, RFC 3383, September 2002.
462 [ROADMAP] Zeilenga, K., "Lightweight Directory Access Protocol
463 (LDAP): Technical Specification Road Map",
464 draft-ietf-ldapbis-roadmap-xx.txt, a work in progress,
467 [MODELS] Zeilenga, K., "LDAP: Directory Information Models",
468 draft-ietf-ldapbis-models-xx.txt, a work in progress, June
471 [PROT] Sermersheim, J., "LDAP: The Protocol",
472 draft-ietf-ldapbis-protocol-xx.txt, a work in progress,
475 [SYNTAX] Legg, S. and K. Dally, "Lightweight Directory Access
476 Protocol (LDAP): Syntaxes and Matching Rules",
477 draft-ietf-ldapbis-syntaxes-xx.txt, a work in progress,
480 [RFC3641] Legg, S., "Generic String Encoding Rules (GSER) for ASN.1
481 Types", RFC 3641, October 2003.
483 [BINARY] Legg, S., "Lightweight Directory Access Protocol (LDAP):
484 The Binary Encoding Option",
485 draft-legg-ldap-binary-xx.txt, a work in progress, June
488 [RXER] Legg, S. and D. Prager, "Robust XML Encoding Rules for
489 ASN.1 Types", draft-legg-xed-rxer-00.txt, a work in
492 [X680] ITU-T Recommendation X.680 (07/02) | ISO/IEC 8824-1,
493 Information technology - Abstract Syntax Notation One
494 (ASN.1): Specification of basic notation.
496 [X690] ITU-T Recommendation X.690 (07/02) | ISO/IEC 8825-1,
500 Legg Expires 16 December 2004 [Page 9]
502 INTERNET-DRAFT LDAP: Transfer Encoding Options June 16, 2004
505 Information Technology - ASN.1 encoding rules:
506 Specification of Basic Encoding Rules (BER), Canonical
507 Encoding Rules (CER) and Distinguished Encoding Rules
510 [XML] Bray, T., Paoli, J., Sperberg-McQueen, C., Maler, E. and
511 F. Yergeau, "Extensible Markup Language (XML) 1.0 (Third
512 Edition)", W3C Recommendation,
513 http://www.w3.org/TR/2004/REC-xml-20040204, February 2004.
515 [ISET] Cowan, J. and R. Tobin, "XML Information Set",
516 http://www.w3.org/TR/2001/REC-xml-infoset-20011024,
519 9.2. Informative References
521 [XLDAP] Legg, S. and D. Prager, "The XML Enabled Directory:
522 Protocols", draft-legg-xed-protocols-xx.txt, a work in
528 Adacel Technologies Ltd.
530 Brighton, Victoria 3186
533 Phone: +61 3 8530 7710
535 Email: steven.legg@adacel.com.au
537 Full Copyright Statement
539 Copyright (C) The Internet Society (2004). This document is subject
540 to the rights, licenses and restrictions contained in BCP 78, and
541 except as set forth therein, the authors retain all their rights.
543 This document and the information contained herein are provided on an
544 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
545 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
546 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
547 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
548 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
549 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
551 Intellectual Property
556 Legg Expires 16 December 2004 [Page 10]
558 INTERNET-DRAFT LDAP: Transfer Encoding Options June 16, 2004
561 The IETF takes no position regarding the validity or scope of any
562 Intellectual Property Rights or other rights that might be claimed to
563 pertain to the implementation or use of the technology described in
564 this document or the extent to which any license under such rights
565 might or might not be available; nor does it represent that it has
566 made any independent effort to identify any such rights. Information
567 on the procedures with respect to rights in RFC documents can be
568 found in BCP 78 and BCP 79.
570 Copies of IPR disclosures made to the IETF Secretariat and any
571 assurances of licenses to be made available, or the result of an
572 attempt made to obtain a general license or permission for the use of
573 such proprietary rights by implementers or users of this
574 specification can be obtained from the IETF on-line IPR repository at
575 http://www.ietf.org/ipr.
577 The IETF invites any interested party to bring to its attention any
578 copyrights, patents or patent applications, or other proprietary
579 rights that may cover technology that may be required to implement
580 this standard. Please address the information to the IETF at
585 A transfer encoding option for RXER has been added.
589 The local name of the root element of the XML document representing
590 an attribute value encoded according to the transfer-rxer encoding
591 option has been changed from "item" to "value" to align with
592 revisions to the LDAP protocol specification [PROT].
594 The Directory XML Encoding Rules (DXER) have been renamed to the
595 Robust XML Encoding Rules (RXER).
599 The special attribute description strings that consist of the
600 asterisk character followed by a transfer encoding option, e.g.,
601 "*;transfer-ber", "*;transfer-gser", have been removed from this
602 specification. An LDAP control will be defined in a separate
603 document to provide equivalent functionality.
612 Legg Expires 16 December 2004 [Page 11]
projects / openldap / blob