RADUA J. Coretta Internet-Draft August 27, 2024 Intended status: Experimental Obsoletes: X660LDAP Expires: February 23, 2025 The OID Directory: The RA DUA draft-coretta-oiddir-radua-01.txt Abstract In service to the "OID Directory" I-D series, this I-D covers design strategies, requirements and procedures for the client component of the OID Directory Registration Authority client/server model. See the RADIR I-D for a complete draft series manifest. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on February 23, 2025. Copyright Notice Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Coretta Expires February 23, 2025 [Page 1] Internet-Draft The OID Directory: RA Client August 2024 Table of Contents 1. Introduction ....................................................2 1.1. Conventions ................................................2 1.2. Acronyms Used ..............................................2 1.2.1. Definitions ...........................................3 1.3. Intended Audience ..........................................3 1.5. Parameter Abstraction ......................................3 2. The RA DUA ......................................................3 2.1. Defined Parameters .........................................4 2.2. Procedures .................................................5 2.2.1. Schema Availability ...................................5 2.2.2. Configuration .........................................5 2.2.3. Queries ..............................................10 2.2.4. New Allocations ......................................17 2.2.5. Allocation Updates ...................................22 3. IANA Considerations ............................................23 4. Security Considerations ........................................23 5. References .....................................................23 5.1. Normative References ......................................23 5.2. Informative References ....................................24 Author's Address ..................................................25 1. Introduction The X.500 Directory User Agent represents the client component within the traditional client/server model that interacts with any number of X.500 Directory System Agents for the purposes of information access. Within the terms of this I-D series, the Directory User Agent serves as a client of OID registration and registrant content, as retrieved from a Registration Authority Directory Information Tree. 1.1. Conventions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 1.2. Acronyms Used See Section 1.3 of the RADIR I-D for all acronym references. Also, see Sections 1.7 and 1.8 of the RADIR I-D for generalized terms and descriptions of significance to this I-D series. Coretta Expires February 23, 2025 [Page 2] Internet-Draft The OID Directory: RA Client August 2024 1.2.1. Definitions The composite acronym "RA DUA" is hereby introduced within this I-D. The acronym abbreviates the aforementioned 'Registration Authority Directory User Agent' term, which describes the 'client' component implied within the client/server model relevant to this I-D series. The composite acronym "RA DSA" used throughout this I-D is defined in Section 1.2.1 of the RADSA I-D. The composite acronym "RA DIT" used throughout this I-D is defined in Section 1.2.1 of the RADIT I-D. 1.3. Intended Audience This I-D is intended for application designers, X.500/LDAP architects and other personnel tasked with supporting or designing components related to the RA client/server model in service to this I-D series. General familiarity with the broad X.500/LDAP specification, as well all supporting I-Ds cited in Section 2 of the RADIR I-D is STRONGLY RECOMMENDED. 1.4. Parameter Abstraction For simplicity in describing certain request or argument parameters involving either DAP or LDAP operations in this I-D, a simplified abstraction of ASN.1 parameters is shown to aid RA DUA adopter. For example, the following structure may be used to outline the parameters of a Read or Search Operation to be conducted as part of an RA DUA managed procedure. baseObject = dn ; DN: see RFC4514 and X.501 scope = 0/1/2 ; eq. X.511 'subset' typesOnly = bool or int ; see. X.511 'EntryInformationSelection' ; and RFC4512 'SearchRequest' filter = filter ; see X.511 and RFC4515 attributes = selection(s); see. X.511 'EntryInformationSelection' ; and RFC4512 'AttributeSelector' While the abstraction has favored the use of LDAP-focused parameters derived from [RFC4511], adopters MAY assume similar directives are applicable within the context of DAP unless otherwise indicated. 2. The RA DUA The RA DUA is a traditional X.500/LDAP client -- supporting most or all of the standard operations defined throughout clauses 9 through 12 of ITU-T Rec. X.511, and throughout Section 4 of [RFC4511] -- that has been OPTIMIZED for use within the terms of this I-D series. Coretta Expires February 23, 2025 [Page 3] Internet-Draft The OID Directory: RA Client August 2024 2.1. Defined Parameters The RA DUA is expected to support the directory protocols facilitated by the endpoint RA DSA(s), whether DAP, LDAP or both. Support for connectivity via the OSI networking stack, TCP/IP or IPC socket by the RA DUA is determined by the operational requirements of the RA DSA(s) in question. Support for parallel X.500 protocols -- such as DOP or DSP -- is not specifically indicated. No recommendations are made regarding the "appearance" or interactive nature of the RA DUA (i.e.: TUI vs. GUI), nor are any recommendations made regarding the specific language or framework used in its design. No particular software license applied to the RA DUA is assumed. The intended application may be for any end user in general, or it may be administratively focused. The RA DUA may be obtained by the general public, or it may be wholly proprietary and for internal use only. The capabilities of the RA DUA MAY be flexible to suit the end user, or it may be strictly regimented, allowing few variations of behavior in routine operations. In situations where an RA DUA is designed solely for the query and presentation of entries with no possibility of support for entry modifications, adopters MAY forego implementation of operational capabilities that are Write-focused in nature. Application designers SHOULD make use of ONLY industry-recognized X.500/LDAP APIs, SDKs or libraries in a manner compliant with all "Best Practices" suggested by both the maintainer(s) and the authors of the standards indicated. The RA DUA is not necessarily user-managed. An RA DUA may manifest in "clientless" form -- for example, facilitated through a web-based application interface residing on the RA DSA(s) directly, thus acting in the context of an abstract protocol gateway. These strategies may prove useful in reducing both the effort required by the end-user in order to access the service, as well as the costs of supporting the end user. Regardless of the design and deployment philosophies employed, the primary focus of the RA DUA -- with particular emphasis on any and all proposed optimizations -- is to reduce the tedium of access and administration of potentially large registration and authority bases, and to introduce protective controls meant to ensure integrity of all relevant content within the RA DIT. Coretta Expires February 23, 2025 [Page 4] Internet-Draft The OID Directory: RA Client August 2024 2.2. Procedures The RA DUA SHALL observe the procedures defined in the following subsections as it pertains to the query, allocation and maintenance of 'registration' and 'registrant' entries within an RA DSA. 2.2.1. Schema Availability The RA DUA MUST obtain -- or possess complete foreknowledge of -- all schema definitions officially defined in Section 2 of the RASCHEMA I-D as well as the schema definitions serving as super types for many of the attribute types defined in Section 2.3 of the RASCHEMA I-D. In addition, the RA DUA MUST both recognize and honor any additional DIT content rules, DIT structure rules and/or (additional) name forms created by the directory architects or administrators after-the-fact. Obtaining the necessary schema definitions is typically conducted in either of the following manners, shown in order of preference. - Through a direct Read of the 'subschemaSubentry' of the RA DSA - Through manual processing of the (approved) schema file(s) based upon the complete contents of the RASCHEMA I-D When obtaining the schema through use of a Read or Search Operation, the schema SHOULD be refreshed at the commencement of a new RA DUA session. This accounts for changes to the schema definitions that may have taken place during runtime. If the RA DSA has no apparent knowledge of the definitions to be used for the query and/or allocation of registrations and/or registrants within the RA DIT, the RA DUA MUST abandon attempts to interact with the RA DSA. It is RECOMMENDED that, in this case, the RA DUA present the user with error information describing the problem. This could suggest an RA DSA configuration problem, or possibly that the wrong RA DSA has been targeted by the RA DUA. 2.2.2. Configuration There are two (2) modes of RA DUA configuration: automatic or manual. Section 2.3 of the RASCHEMA I-D introduces a small handful of types intended for "advertisement" by the RA DSA and for consumption by the RA DUA. These attributes are as follows: - 'rARegistrationBase' ; ex.: ou=Registrations,o=rA - 'rARegistrantBase' ; ex.: ou=Registrants,o=rA - 'rADirectoryModel' ; ex.: 1.3.6.1.4.1.56521.101.3.1.3 - 'rAServiceMail' ; ex.: support@ra.example.com - 'rAServiceURI' ; ex.: https://ra.example.com - 'rADITProfile' ; ex.: dc=example,dc=com - 'rATTL' ; ex.: 86400 Coretta Expires February 23, 2025 [Page 5] Internet-Draft The OID Directory: RA Client August 2024 These attribute types are extended through use of the 'rADUAConfig' AUXILIARY object class. See Section 2.3.6 of the RADSA I-D for usable examples involving this class. Auto-discovery of these attribute types will require disclosure privileges for the root DSE and any other entries that bear the 'rADUAConfig' object class. Though the particulars of the root DSE are well outside the scope of this I-D series, it is typically accessed via the Read Operation executed upon a NULL baseObject. Retrieval SHOULD be made conditional using the 'rADUAConfig' object class as the filter AVA, and SHOULD involve attribute selection of the types shown below. filter = objectClass=rADUAConfig ; Require 'rADUAConfig' attributes = rARegistrationBase rARegistrantBase rADirectoryModel rAServiceMail rAServiceURI rADITProfile rATTL If zero (0) entries are returned as a result of the Read Operation, this indicates any of the following: - The RA DSA is not available - The root DSE is not accessible, possibly due to access rights - The root DSE is accessible, but lacks the 'rADUAConfig' class Given any of these conditions, automatic parameter input has failed. The RA DUA has no alternative other than manual parameter input. If one (1) entry is returned, the root DSE is accessible and has been configured for automatic input. The RA DUA SHOULD choose to proceed with configuration using the values provided. See Section 2.3.6 of the RADSA I-D regarding the possible methods for implementation of this entry with respect to multiple RA DITs served by an RA DSA as opposed to a single RA DIT. If manual input of configuration values is required, typically this would require foreknowledge of the correct values, or access to an informational resource which makes those values available. In this scenario, the RA DUA MUST request the user follow a procedure for manual input prior to use. Lack of proper configuration values precludes any RA DUA session. Coretta Expires February 23, 2025 [Page 6] Internet-Draft The OID Directory: RA Client August 2024 2.2.2.1. Processing Following value input -- whether automatic or manual -- the acquired values MUST be processed and validated. The following subsections cover each 'rADUAConfig'-extended attribute type in the context of runtime configuration of the RA DUA. 2.2.2.1.1. 'rADITProfile' The 'rADITProfile' attribute type stores any number of DN values, each acting as a reference to a DIT-housed 'rADUAConfig' entry which contains the standard configuration parameters required by the RA DUA. The 'rADITProfile' attribute type is a CRITICAL component within any implementation in which the following conditions apply: - Multiple RA DITs reside on a single RA DSA, with each RA DIT accessed using potentially different configuration values - Single RA DITs which bear usable configuration settings within DIT entry contexts -- as opposed to storage within the root DSE In either case, the root DSE SHALL NOT contain any of the attribute types extended by the MAY clauses of the 'rADUAConfig' AUXILIARY object class OTHER THAN the 'rADITProfile', 'rATTL', 'rAServiceMail', and 'rAServiceURI' attribute types. Similarly, referenced 'rADUAConfig' entries within an RA DIT SHALL NOT bear instances of the 'rADITProfile' attribute type. Instances where these attribute types are improperly combined within entries is considered a "Duplicate RA Context Error" and represents a serious operational deficiency that MUST be reported to the end user. The RA DUA SHOULD fail the session or (optionally) allow for administrative override if corrective measures may be taken. 2.2.2.1.2. 'rARegistrationBase' The 'rARegistrationBase' attribute type is the most CRITICAL of all attribute types related to RA DUA configuration. The purpose of this multi-valued type is to store the DN(s) in which 'registration' entries are stored. This parameter is REQUIRED, as it prevents the need for inefficient broad-level Search Operations, potentially within a particularly large directory information tree. The RA DUA MUST handle the instance value(s) as follows: Coretta Expires February 23, 2025 [Page 7] Internet-Draft The OID Directory: RA Client August 2024 1. Verify presence and accessibility of entries identified by the respective DN values using the Read Operation 2. Determine whether the given entries bear the 'registration' ABSTRACT object class 2a. If the named entries DO NOT bear the 'registration' class, the RA DUA must interpret the entries as simple organizational containers housing 'registration' entries one (1) level below 2b. If the named entries bear the 'registration' class, this is indicative of an official starting-point for registration content within the "OID Directory" 3. Preserve these DNs for the remainder of the session, as they will influence the various operations that may take place In the case of condition "2a", a read-only RA DUA MAY opt to fail the session if no 'registration' entries reside exactly one (1) level beneath the apparent "organizational container" entry. The RA DUA MAY allow for administrative override of this behavior, thereby allowing retroactive registration creation within an implementation not yet populated. 2.2.2.1.3. 'rARegistrantBase' The 'rARegistrantBase' attribute type is OPTIONAL in terms of RA DUA configuration. It identifies one (1) or more DNs which lead to the location of authority-related entries within the RA DIT. The RA DUA MUST handle the value(s) associated with this type as follows: 1. Verify presence and accessibility of entries identified by the respective DN values using the Read Operation 2. Compare the DN values to those within the 'rARegistrationBase' attribute type instance 2a. If the DN values are identical, this implies use of combined authority/registration entries in a single location within the RA DIT -- a procedure that is generally discouraged 2b. If the DN values are different, this implies use of dedicated authority entries, which bear the 'registrant' STRUCTURAL object class and reside in a location separate from that which houses entries bearing the 'registration' STRUCTURAL Object Class 2c. If no DN values are specified within the 'rARegistrantBase' attribute type instance, the RA DUA MAY interpret this as an indication that no authority information is available within the RA DIT, and associated authority attribute types SHOULD NOT be requested by the RA DUA In the case of "2a", the RA DUA SHOULD include all attribute types specified within the 'currentAuthorityContext', 'sponsorContext' and 'firstAuthorityContext' 'MAY' clauses for subsequent Read Operations of 'registration' entries. Coretta Expires February 23, 2025 [Page 8] Internet-Draft The OID Directory: RA Client August 2024 In the case of "2b", the RA DUA SHOULD include all attribute types specified within 'currentAuthorityContext', 'sponsorContext' and 'firstAuthorityContext' 'MAY' clauses for subsequent Read Operations of 'registrant' entries. Dedicated authority entries bearing the 'registrant' STRUCTURAL object class should be located exactly one (1) level below each specified 'rARegistrantBase' DN value within the RA DIT. Depending on the nature of implementation of this I-D series, it may or may not be advisable to populate the 'rARegistrantBase' attribute type for consumption by all clients indiscriminately. See Section 5.2 of the RADIT I-D for security considerations on this topic. 2.2.2.1.4. 'rADirectoryModel' The 'rADirectoryModel' type describes the abstract structure of the RA DIT in terms of 'registration' layout and probable DN syntax. The employed model shall have a profound influence on the manner in which the RA DUA shall interact with the RA DIT. A specified directory model is REQUIRED for proper functioning of the RA DUA, whether directly or indirectly. The decided model specifier, which MUST be a numeric OID, is declared using the 'rADirectoryModel' attribute type. Sections 3.1.2 and 3.1.3 of the RADIT I-D define two (2) official directory models and DN syntax schemes identified by the following numeric OIDs: - 'twoDimensional' (1.3.6.1.4.1.56521.101.3.1.2) - 'threeDimensional' (1.3.6.1.4.1.56521.101.3.1.3) In virtually every case, the 'threeDimensional' model is STRONGLY RECOMMENDED for implementation and use, however RA DUAs SHOULD be prepared to incorporate other models that could be defined in any future extensions to this I-D series. The RA DUA MUST support use of the 'threeDimensional' model without exception and to the letter of every recommendation set forth within this I-D series. As stated clearly and in no uncertain terms within the originating document, the 'twoDimensional' model is STRONGLY DISCOURAGED aside from use in non-standard or particularly unusual scenarios. The RA DUA MAY support use of the 'twoDimensional' model at the discretion of the application designer. Support for this model is purely OPTIONAL. Coretta Expires February 23, 2025 [Page 9] Internet-Draft The OID Directory: RA Client August 2024 The RA DUA MUST handle the value of this instance as follows: 1. Determine whether the 'rADirectoryModel' attribute type has been set with an explicit numeric OID 1a. If NO numeric OID has been specified, use of the RECOMMENDED 'threeDimensional' model is to be enforced by DEFAULT 1b. If a numeric OID has been specified, identify the value as a known and supported model OID and adjust RA DUA behavior in accordance with prescribed procedures of the RADIT I-D 1c. If a numeric OID has been specified and is not immediately identifiable within the terms of this I-D series -- such as a future extension of this standard -- the RA DUA MAY defer to the specifics of the recommendation or I-D from which the OID originates OR the RA DUA MAY choose to fail the session 2. Preserve the value for the remainder of the session, as it will influence the specifics of operations that may occur In the case of condition "1c", if the RA DUA chooses to fail the session, the RA DUA SHOULD present the user with an error message indicating the encounter with an unknown or as-of-yet unsupported directory model identifier. 2.2.2.1.5. Additional Parameters The 'rAServiceMail' attribute type, when defined, contains any number of email addresses meant for support or request purposes. Use of this type in the RA DIT is OPTIONAL, but SHOULD be recognized by the RA DUA when present. The 'rAServiceURI' attribute type, when defined, contains any number of URI values related to the service, such as terms of use, support information, documentation and other resources. Use of this type in the RA DIT is OPTIONAL, but SHOULD be recognized by the RA DUA when present. The 'rATTL' attribute type, when defined for an entry bearing the 'rADUAConfig' class, imposes a global entry caching TTL value meant for consumption and observance by qualified RA DUA implementations. See Section 2.2.3.4 for details and semantics regarding assignment and precedence strategies for a TTL. 2.2.3. Queries This subsection covers strictly read-related operations, such as the location and presentation of a given 'registration' entry. 2.2.3.1. Retrieving Entries The RECOMMENDED procedure for retrieving an entry -- in any directory model defined in this I-D series -- is a Read Operation of the entry by way of its DN. This will return either one (1) entry, or none. Coretta Expires February 23, 2025 [Page 10] Internet-Draft The OID Directory: RA Client August 2024 Foreknowledge of the DN is required for a Read Operation attempt of this fashion. If the entry is a 'registration', the DN may be resolved by way of the associated numeric OID using the appropriate process defined in Section 3.1. 'registration' entries may reference other 'registration' entries using the spatial attribute types defined in Section 2.3 of the RASCHEMA I-D and discussed further in Section 2.2.3.3. 'registrant' entries, however, aren't resolvable in any standard manner. These are dedicated authority entries that are normally accessed through references held by any associated 'registration' entries. - 'firstAuthority' and/or 'c-firstAuthority' - 'currentAuthority' and/or 'c-currentAuthority' - 'sponsor' and/or 'c-sponsor' However, in cases where direct referencing of DNs within the context of a Read Operation is not practical, possibly due to any of the following ... - Lack of assigned spatial reference types - An unsupported or incoherent DN syntax is indicated - Administrative operations are underway ... use of List or subtree Search operations may be indicated. While this method of searching is not generally recommended within the spirit of this I-D series, the RA DUA MAY allow this capability where appropriate. If the RA DUA encounters difficulty relating to a particularly large number of entries retrieved through a Search Operation, support for Simple Paged Results Manipulation by the RA DUA may be indicated if supported by the RA DSA. For details, see clause 7.9 of ITU-T Rec. [X.511] and the entirety of [RFC2696]. 2.2.3.2. Reading Entries The following subsections outline the procedures involved in the presentation and analysis of a 'registration' or 'registrant' entry successfully retrieved by way of the Read or Search Operation. 2.2.3.2.1. Entry 'objectClass' Analysis Given a successfully conducted Read or Search Operation, and assuming a single entry -- whether 'registration' or 'registrant' -- has been returned, the RA DUA SHOULD first read the 'objectClass' values and make note of all that originate in Section 2.5 of the RASCHEMA I-D. Coretta Expires February 23, 2025 [Page 11] Internet-Draft The OID Directory: RA Client August 2024 The 'registration' ABSTRACT object class is a required class for any OID allocation. This class MUST only appear on entries which bear the 'rootArc' or 'arc' STRUCTURAL class. It is a sub type of the 'top' ABSTRACT class, defined in Section 2.4.1 of [RFC4512] and in clause 13.3.3 of ITU-T Rec. [X.501]. The 'registrant' STRUCTURAL object class is only used for dedicated registrants, which are associated through DN references held by associated 'registration' entries, if any. Appearance upon any other form of entry is a suboptimal or illogical state. Presence of the 'x660Context', 'x680Context' and/or 'x690Context' AUXILIARY classes for a 'registration' entry is permitted. These classes extend multiple attribute types which conceptually derive from ITU-T Recs. [X.660], [X.680] and [X.690]. Presence of the 'x667Context' AUXILIARY class for a 'registration' entry is only expected in cases where an OID allocation involves a 'registeredUUID' attribute type instance and where the assigned 'n' value is the equivalent unsigned 128-bit integer. See ITU-T Rec. [X.667] for information on this topic. Presence of the 'iTUTRegistration' AUXILIARY class is only permitted for allocations bearing the 'arc' STRUCTURAL class and describe an OID beginning with zero (0). It extends no attribute types. Presence of the 'iSORegistration' AUXILIARY class is only permitted for allocations bearing the 'arc' STRUCTURAL class and describe an OID beginning with one (1) It extends no attribute types. Presence of the 'jointISOITUTRegistration' AUXILIARY class is only permitted for allocations bearing the 'arc' STRUCTURAL class and describe an OID beginning with two (2). It extends the 'longArc' attribute type. Entries SHALL NOT bear more than one (1) of the 'iTUTRegistration', 'iSORegistration' or 'jointISOITUTRegistration' classes. Presence of the 'spatialContext' AUXILIARY class is only permitted for 'registration' entries. It extends seven (7) spatial reference attribute types used to describe arrangement of allocations within the OID tree. Additional collective incarnations of some of these attribute types may be indicated. Presence of the 'registrationSupplement' AUXILIARY class is only permitted for 'registration' entries. It extends miscellaneous attribute types which extend from no official standards meant for ease-of-use only. Collective Attributes are described in [RFC3671]. Coretta Expires February 23, 2025 [Page 12] Internet-Draft The OID Directory: RA Client August 2024 Presence of the 'firstAuthorityContext', 'currentAuthorityContext', and 'sponsorContext' AUXILIARY classes is permitted for 'registrant' entries and 'registration' entries alike, and would depend upon the 'registrant' model employed within the RA DIT. Each of these classes extends several identity and contact related attribute types for use within the context of sponsorship, current authorities and previous authorities. Presence of the 'rADUAConfig' AUXILIARY class SHOULD NOT be permitted for 'registration' or 'registrant' entries and indicates a suboptimal or illogical state. Assuming no violations were perceived as outlined above, the state of the entry's object class stack is apparently copacetic. 2.2.3.2.2. Attribute Types Used At a minimum, the RA DUA SHOULD only expect attribute types defined within Section 2.3 of the RASCHEMA I-D, and/or their respective super types defined in [RFC4519], [RFC4524] and [RFC2079], to be assigned to entries within the terms of this I-D series. See Section 3.2 of the RADIT I-D for numerous examples regarding various attribute type use cases and requirements. The RA DIT MAY use other attribute type and object class definitions unrelated to this I-D series, for supplemental reasons, however their incorporation would be wholly proprietary and would have no official standing per this I-D series. 2.2.3.2.3. Value Syntax Each attribute type, whether directly or indirectly, is governed via a syntax definition in terms of the allowed value(s) to be set for an entry. As mentioned in Section 2.1 of the RASCHEMA I-D, standard syntaxes do not necessarily align perfectly with the syntactical requirements of the standards upon which this I-D series is based -- namely ITU-T Recs. [X.660] and [X.680]. To ease the difficulty in implementing an RA DUA which honors the syntactical characteristics of the underlying subject matter -- as opposed to only recognizing the syntax alone -- Section 2.3 of the RASCHEMA I-D includes ABNF productions for every attribute type defined, whether by reference or in literal form, intended for use by those tasked with implementation of this I-D series in some manner. The RA DUA MUST recognize these ABNF productions when reading values that were retrieved through use of the Read or Search Operation. Coretta Expires February 23, 2025 [Page 13] Internet-Draft The OID Directory: RA Client August 2024 The RA DUA MAY decide how to handle the case of reading a previously set attribute value of invalid or non-compliant form. The RA DUA may warn the end-user of a value that is not well-formed, or it may opt to omit the value from visibility altogether. If the RA DUA is of an administrative focus, the opportunity for corrective measures MAY be facilitated. 2.2.3.3. Navigating Registration Entries Some of the more complete RA services, whether public or private, may offer a simple interface to facilitate intuitive incremental movement among registrations that are associated horizontally or vertically in terms of "up", "down", "left", "right", "min", "max" and "top". Depending on the needs of the intended audience, as well as the manner in which this specification is adopted, this can be an exceptionally difficult feature to implement for the RA DUA, but is one that can dramatically improve the user experience. The RA DUA SHOULD NOT assume positive support for this practice in all implementations of this I-D series. 2.2.3.3.1. Superior Vertical References During the Read or Search Operation executed in order to obtain a 'registration' entry, the RA DUA MAY request any of the following attribute types: - 'supArc' - 'c-supArc' - 'topArc' - 'c-topArc' The 'supArc' and 'c-supArc' attribute types describe the immediate superior (parent) registration in terms of ancestral lineage. Only one (1) of each of these attribute types should be present for any given 'registration' entry, never both. The 'topArc' and 'c-topArc' attribute types describe the absolute root registration in terms of ancestral lineage. Only one (1) of each of these attribute types should be present for any given 'registration' entry -- never both. Use of Collective attribute types -- namely those prefaced using the requisite 'c-' flag -- may not be practical in the two dimensional model and thus need not be requested. At no point are the above attribute types to be requested for entries that bear the 'rootArc' STRUCTURAL object class. Root registrations do not have superiors. Coretta Expires February 23, 2025 [Page 14] Internet-Draft The OID Directory: RA Client August 2024 2.2.3.3.2. Subordinate Vertical References Subordinate vertical references tend to be the most challenging among all the various attribute types related to spatial navigation within the terms of this I-D series. The RA DUA MAY request the 'subArc' attribute type as part of the Read or Search Operation used for retrieval of a 'registration' entry from the RA DIT. At no point should an entry bear the 'subArc' attribute type if it bears an 'isLeafNode' instance with a value of TRUE. This indicates an illogical RA DIT condition. When defined, the 'subArc' attribute type instance SHOULD reflect a complete manifest of all references for 'registration' entries that are direct subordinates of the bearer. This instance SHOULD be requested in baseObject-scoped context, and is the only multi valued spatial attribute type defined within this I-D series. The RA DUA SHOULD prefer 'subArc' enumeration to a List Operation beneath a 'registration'. This method of searching is a potentially costly request in the face of particularly large sets of subordinate 'registration' entries present within the RA DIT. The RA DUA SHOULD be prepared to manually sort the set of 'subArc' DN references based on its OID or NumberForm value, however this responsibility may be handled by the RA DSA. 2.2.3.3.3. Horizontal References Horizontal (sibling) references describe both adjacent as well as minimum and maximum 'registration' contexts. During a Search Operation intended to obtain a 'registration' entry, the RA DUA SHOULD request the following attribute types: - 'leftArc' - 'rightArc' - 'minArc' - 'c-minArc' - 'maxArc' - 'c-maxArc' The 'leftArc' attribute type describes the sibling 'registration' entry that is nearest but less than that of the bearer in terms of Number Form ('n') numerical magnitude. The 'rightArc' attribute type describes the sibling 'registration' entry that is nearest but greater than that of the bearer in terms of Number Form ('n') numerical magnitude. Coretta Expires February 23, 2025 [Page 15] Internet-Draft The OID Directory: RA Client August 2024 The 'minArc' and 'c-minArc' attribute types are used to reference the 'registration' entry bearing the lowest magnitude Number Form ('n') value within a set of siblings. Only one (1) of these attribute types should be present for any given 'registration' entry, never both. The 'maxArc' and 'c-maxArc' attribute types are used to reference the 'registration' entry bearing the highest magnitude Number Form ('n') value within a set of siblings. Only one (1) of these attribute types should be present for any given 'registration' entry, never both. 2.2.3.4. Client Entry Caching For particularly large or busy implementations of the I-D series, the RA DUA MAY support basic client-driven entry caching of any retrieved 'registration' and 'registrant' entries by way of either the 'rATTL' or 'c-rATTL' integer attribute types, as defined within Section 2.3 of the RASCHEMA I-D. A valid use case for caching involves serving IANA PEN registrations [PRIVATE], which number in the tens of thousands. Caching may yield tremendous savings in terms of resource utilization associated with particularly large numbers of static entries being retrieved in a repeating manner. This I-D makes no assumptions regarding the design or implementation of the underlying caching subsystem. The only abstract requirement relates to the ability to cache a single directory entry for a span of time equivalent to the effective TTL value in minutes. The RA DUA SHOULD allow for the user to determine whether an entry being presented is derived from a cache. 2.2.3.4.1. Semantics An 'rATTL' may be found in the following contexts wherever the 'rADUAConfig', 'registration' or 'registrant' classes are present. - A root DSE - An RA DIT context - An individual leaf-node entry The collective counterpart attribute type, 'c-rATTL', may be found on all of the above EXCEPT the root DSE. Presence of an instance of either of these attribute types for any entry serves as an indicator to the RA DUA that a caching directive may be in effect depending on the value. The significance of value magnitude -- whether collective or not -- is as follows: Coretta Expires February 23, 2025 [Page 16] Internet-Draft The OID Directory: RA Client August 2024 - A value less than or equal to "0" is equivalent to a TTL being undefined: NO cached lifespan is specified - A value greater than or equal to "1" indicates a TTL lifespan expressed by that value (e.g.: "1440" for a 24-hour TTL) Countdown of a timespan commences at the same time the indicated entry is retrieved and cached by the RA DUA according to the value. Presence of the 'rATTL' attribute type within the RA DSA's root DSE indicates use of global caching, a condition in which all entries are cached for a fixed amount of time unless they are subjected to an individual override by the 'rATTL' or 'c-rATTL' types. Presence of the 'rATTL' attribute type within separate 'rADUAConfig' class profile instances indicates context-specific entry caching (for example, a single RA DIT in the midst of others served by a common RA DSA). The 'c-rATTL' attribute type is only present for entries when served by an RA DSA which supports collective attributes. No instance of the 'c-rATTL' attribute type shall be present within the root DSE. In the face of multiple overlapping TTLs implied for an entry, these rules of precedence can guide the RA DUA in determining the correct TTL: - DSE-based TTL overrides nothing (lowest common denominator) - Contextual TTL overrides DSE TTL - Collective TTL overrides a subtree of a contextual TTL - Non-collective leaf entry TTL overrides all of the above If deemed appropriate within the spirit of an implementation, or if potentially necessary in an administrative context, the RA DUA MAY allow for arbitrary cache bypass, whereas the cached entry may be refreshed ahead of its scheduled TTL expiry. 2.2.4. New Allocations The following subsections involve considerations and procedures which are related to the incorporation of new registration allocations into an RA DIT. Each "OID Directory" implementation will almost certainly adopt only certain attribute types for use in entries. Such restrictions may be exercised based on use of only select object classes within an entry, through observance of any DIT content rules that may be in effect, or through a form of access control. The RA DUA is expected to honor any policies imposed by the service that would influence or mandate the composition of new entries in a particular way. Coretta Expires February 23, 2025 [Page 17] Internet-Draft The OID Directory: RA Client August 2024 2.2.4.1. Verification Certain pre-allocation checks MUST be conducted prior to any attempt at creating an allocation. The following subsections describe these procedures. Please note that only the three dimensional directory model is covered due to its STRONGLY RECOMMENDED status over the alternative model. While the RA DSA may implement 'registration' integrity controls of its own, the RA DUA SHALL NOT rely on such elements to mitigate bogus or ill-advised requests alone. The RA DUA is REQUIRED to submit only well-formed and sanctioned requests, and SHALL NOT be designed under the unfounded assumption that the RA DSA will conduct post-operative or custodial amendments of any kind. Adopters of the RA DUA construct should remember that the context of an allocation request can greatly influence the perception of the various outcomes discussed in the following subsections. For example, consider the entry of retroactive 'registration' entries -- obsolete and wholly invalid by today's standards -- by an end user simply to build a thorough and well-formed implementation of the OID tree, versus a new registration being created today, and governed by today's standards. These two scenarios have radically different implications, yet the effective action is unchanged. Depending on the nature and intended audience of an RA DUA solution, this distinction may be particularly important. It may prove useful to allow for effective "overrides" for authorized identities or modes of operating, for example, to allow the creation of registrations beneath an obsolete superior context. It is important to note that the procedures defined in the following subsections do not account for any internal governance or approval process related to allocation request handling. 2.2.4.1.1. Ancestral Viability Given an intended registration DN of: n=9999,n=4,n=1,n=6,n=3,n=1,ou=Registrations,o=rA The RA DUA MUST first verify the presence of the intended superior registration DN. n=4,n=1,n=6,n=3,n=1,ou=Registrations,o=rA This search can be conducted using the following SearchRequest parameters: Coretta Expires February 23, 2025 [Page 18] Internet-Draft The OID Directory: RA Client August 2024 baseObject = n=4,n=1,n=6,n=3,n=1,ou=Registrations,o=rA scope = 0 filter = objectClass=registration attributes = registrationStatus registrationClassification isLeafNode isFrozen objectClass If exactly one (1) entry is returned with no apparent error, the superior entry is confirmed to be present. In this case, the RA DUA should read the values of the requested attribute types. If the 'registrationStatus' and/or 'registrationClassification' value is OBSOLETE, DEALLOCATED or some other (known) declaration of a state of non-operation, this MUST fail the allocation request unless the attempt was made in (approved) retroactive context. The case folding scheme in effect for these values is not significant. Similarly, if the 'isFrozen' and/or 'isLeafNode' attribute types bear a Boolean value of TRUE, the allocation request MUST fail unless the attempt was made in (approved) retroactive context. The error 'noSuchObject' indicates the requested entry was not found. When using LDAP, this bears the resultCode value of "32". 'noSuchObject' SHOULD be investigated by the RA DUA by way of an ancestral traversal -- a process in which each successive ancestor entry is subjected to a similar presence check as described above in incremental fashion. Ordering of ancestral traversal checks is not significant, as either ordering scheme will ultimately lead to the same conclusion. Each ancestor entry is referenced using a DN value which lacks the leaf-node RDN component of the previously-checked descendant entry. For instance, continuing with the above superior DN's lineage: - n=1,n=6,n=3,n=1,ou=Registrations,o=rA - n=6,n=3,n=1,ou=Registrations,o=rA - n=3,n=1,ou=Registrations,o=rA - n=1,ou=Registrations,o=rA Following this procedure allows the RA DUA or the end user to locate where the apparent ancestral discontinuity begins within the RA DIT. The terminus of a registration lineage -- such as the one described above -- is determined based on the presence of the STRUCTURAL object class 'rootArc' for an entry (e.g.: "n=1,ou=Registrations,o=rA"). Coretta Expires February 23, 2025 [Page 19] Internet-Draft The OID Directory: RA Client August 2024 2.2.4.1.2. Number Form Uniqueness Within a set of sibling 'registration' entries, it is CRITICAL that any new allocation involve use of a horizontally-unique 'n' value. Using one of the RECOMMENDED DN syntaxes described in Section 3.1, the proper procedure simply involves a Read-based presence check of the intended 'registration' DN. For instance, if the desired allocation shall bear the DN: n=9999,n=3,n=1,ou=Registrations,o=rA A preemptive Read Operation MUST be executed in the following manner: baseObject = n=9999,n=3,n=1,ou=Registrations,o=rA scope = 0 typesOnly = TRUE attributes = objectClass Use of the 'typesOnly' option is merely for bandwidth efficiency, as the goal of this request is to see if ANY entry exists by this DN -- not to examine any particular attribute values. If zero (0) entries are returned alongside a 'noSuchObject' error, the Number Form is unique. Any non-zero number of entries that are returned with no apparent error indicates the Number Form is NOT unique and the attempt at allocation MUST fail. The RA DUA SHOULD inform the user of this outcome. There are no practical override use cases for this condition. If using a 'registration' DN syntax other than those RECOMMENDED in Section 3.1, use of a filter within a List Operation executed upon the intended parent registration may be required at the risk of performance penalties proportional to the number of entries present: baseObject: = n=3,n=1,ou=Registrations,o=rA scope = 1 typesOnly = TRUE filter = n=9999 attributes = objectClass The same entry count semantics as described above will apply. See Section 2.2.4.1.3 for considerations regarding the presence of ranges of allocations within the set of sibling registrations. Coretta Expires February 23, 2025 [Page 20] Internet-Draft The OID Directory: RA Client August 2024 2.2.4.1.3. Ranged Allocations During the creation of new registrations, RA DUAs MUST preemptively search for any range-based registrations present that might overlap with the intended 'n' value of the entry. This requirement MAY be relaxed if it is known that ranged allocations are not supported in the target location, but this is generally discouraged. For example, to determine if a ranged allocation resides within the '1.3' OID registration that would overlap with a desired Number Form, the RA DUA MUST perform a List Operation of the following form: baseObject = n=3,n=1,ou=Registrations,o=rA scope = 1 typesOnly = TRUE filter = (&(n<=X)(|(registrationRange>=X)(registrationRange=-1))) attributes = registrationRange Note that 'filter' contains a leading line-break and indent due to the maximum I-D line length being exceeded by the size of the value. Given these parameters, where the filter AVA "X" represents the 'n' (Number Form) chosen -- for example "100" -- the search will return zero (0) entries if no range violation is detected involving value "X". This behavior is unchanged in the midst of multiple finite and/or infinite ranges, regardless of contiguity. Please note that integer "X" MUST be chosen or selected by some means by the RA DUA or its end user for this procedure to work as intended. "X" SHALL NOT be negative. An infinite range SHALL ONLY appear once in any sibling context, and the associated entry DN SHALL ALWAYS represent the true 'maxArc' or 'c-maxArc' value in the same sibling context, if specified. If ANY number of entries are returned as a result of this allocation check, the registration MUST fail. The RA DUA MAY opt to make other attempts using another Number Form in place of "X", or it may simply inform the user of an overlapping allocation attempt. This procedure assumes the preemptive Number Form Uniqueness check procedures described in Section 2.2.4.1.2 have been conducted with a favorable outcome as described. However, in certain use cases, it may be advantageous to replace the above 'filter' with: (|(&(n<=X)(|(registrationRange>=X)(registrationRange=-1)))(n=X)) Doing so accomplishes the goals of this section and Section 2.2.4.1.2 in a single action. Coretta Expires February 23, 2025 [Page 21] Internet-Draft The OID Directory: RA Client August 2024 The RA DUA MAY opt to impose a 'typesOnly' value of FALSE to allow the user to manually observe the range structure(s) present within a set of siblings directly (by way of the 'registrationRange' type) if and when an overlapping allocation attempt was made. This allows the user to select an appropriate Number Form value in an informed manner -- as opposed to trial-and-error methodology, for instance. 2.2.4.2. Submission Assuming the verification procedures covered in Section 2.2.4.1 were of a favorable outcome, the submission of the allocation details may be indicated. This I-D assumes that any requisite review or approval processes that are practiced by those who serve in authority over the RA have been performed. Creation of a directory entry, based upon decided allocation details, is the last step necessary for a proper submission. Please see the RADIT I-D for details and many examples regarding entry composition. The Add Operation is the intended means for submission of the entry. If the particular implementation of this I-D series does not support this operation in this manner, the RA DSA may be expected to support another means out of scope for this I-D series. Upon submission of the composed entry to the receiving RA DSA, the RA DUA SHOULD retrieve the newly added entry to verify attribute type and object class content is present as intended. This should precede any declarations of successful submission to the end user. 2.2.5. Allocation Updates Updates to 'registration' entries, as mentioned previously, is often ill-advised outside of extraordinary circumstances, likely involving corrections to entries deemed to be of poor form, or created in bad faith. A general rule-of-thumb suggests that any 'registration' is typically static. Updates to 'registrant' entries or attributes, however, is far more likely if contact information, which changes over time, is present. Nevertheless, alterations to the content of entries in either context is facilitated through use of the Modify Operation for any of the following desired actions: - Addition of object class values - Addition of attribute type instances or values - Removal of undesirable or invalid attribute instances or values - Correction of bogus attribute values - Relegation of a 'currentAuthority' to a 'firstAuthority' Coretta Expires February 23, 2025 [Page 22] Internet-Draft The OID Directory: RA Client August 2024 In an even more exceptional (and unlikely) scenario, the correction of an invalid Number Form or OID RDN value is facilitated through use of the Modify DN Operation, which is intended for the "renaming" and/or "relocation" of a specified entry. This is almost certainly an administratively focused use case. The semantics for either of these operations are well outside the scope of this I-D series. 3. IANA Considerations There are no requests to IANA in this document at this time. 4. Security Considerations The RA DUA MUST possess the capability to honor any authentication and/or confidentiality policies imposed by the RA DSA. This would imply Bind and Unbind capabilities, at the least. This may involve strategies related to TLS, 2FA, OTP and others. TLS support may include facilities for mutual authentication. Support of password-related operations -- such as those defined in [RFC3062] -- may be indicated. Certain directory implementations may require these capabilities be exercised prior to interaction with ANY facet of the directory -- no matter how innocuous a request may be perceived (for instance, basic query of the root DSE only). This is an especially common practice in high-security X.500/LDAP implementations. Adopters are advised to be prepared for such conditions. 5. References 5.1. Normative References RADIR Coretta, J., "The OID Directory: A Technical Roadmap", draft-coretta-oiddir-roadmap, February 2024. RADIT Coretta, J., "The OID Directory: The RA DIT", draft-coretta-oiddir-radit, February 2024. RADSA Coretta, J., "The OID Directory: The RA DSA", draft-coretta-oiddir-radsa, February 2024. RASCHEMA Coretta, J., "The OID Directory: The RA Schema", draft-coretta-oiddir-schema, February 2024. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. Coretta Expires February 23, 2025 [Page 23] Internet-Draft The OID Directory: RA Client August 2024 [RFC2696] C. Weider, A. Herron, A. Anantha, Microsoft, T. Howes and Netscape, "LDAP Control Extension for Simple Paged Results Manipulation", RFC 2696, September 1999. [RFC3671] Zeilenga, K., "Collective Attributes in the Lightweight Directory Access Protocol (LDAP)", RFC 3671, December 2003. [RFC4511] J. Sermersheim, Ed. "Lightweight Directory Access Protocol (LDAP): The Protocol", RFC 4511, June 2006. [RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol (LDAP): Directory Information Models", RFC 4512, June 2006. [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", RFC 8174, May 2017. [X.501] International Telecommunication Union - Telecommunication Standardization Sector, "The Directory: Models", ITU-T X.501, October 2019. [X.511] International Telecommunication Union - Telecommunication Standardization Sector, "The Directory: Abstract service definition", ITU-T X.511, October 2019. 5.2. Informative References [PRIVATE] IANA, "Private Enterprise Numbers", https://www.iana.org/assignments/enterprise-numbers. [RFC2079] Smith, M., "Definition of an X.500 Attribute Type and an Object Class to Hold Uniform Resource Identifiers (URIs)", RFC 2079, January 1997. [RFC3062] Zeilenga, K., "LDAP Password Modify Extended Operation", RFC 3062, February 2001. [RFC4519] Sciberras, Ed., A., "Lightweight Directory Access Protocol (LDAP): Schema for User Applications", RFC 4519, June 2006. [RFC4524] Zeilenga, K., "Lightweight Directory Access Protocol (LDAP): COSINE LDAP/X.500 Schema", RFC 4524, June 2006 [X.500] International Telecommunication Union - Telecommunication Standardization Sector, "The Directory: Overview of concepts, models and services", ITU-T X.500, October 2019. Coretta Expires February 23, 2025 [Page 24] Internet-Draft The OID Directory: RA Client August 2024 [X.660] International Telecommunication Union - Telecommunication Standardization Sector, "General procedures and top arcs of the international object identifier tree", ITU-T X.660, July 2011. [X.667] International Telecommunication Union - Telecommunication Standardization Sector, "Information technology - Procedures for the operation of object identifier registration authorities: Generation of universally unique identifiers and their use in object identifiers", ITU-T X.667, October 2012. [X.680] International Telecommunication Union - Telecommunication Standardization Sector, "Abstract Syntax Notation One (ASN.1): Specification of basic notation", ITU-T X.680, July 2002. [X.690] International Telecommunication Union - Telecommunication Standardization Sector, "ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)", ITU-T X.690, February 2021. Author's Address Jesse Coretta California, United States Email: jesse.coretta@icloud.com Coretta Expires February 23, 2025 [Page 25]