Erik, I agree that NOTE 1 should be removed.As for protected password, the text is not very clear, particularly the usage of some components of Token. It is probably too late for Edition 6 (September) to create, like for protected password an Annex in X.509 to explicit this authentication method.
Jean-Paul.
Hi Jean-Paul and others, I have several concerns and let me be a little more specific. The following was added into the third edition (1997) of X.511: The bindIntAlgorithm and bindConfAlgorithm components are used to negotiate the cryptographic algorithms used to protect subsequentoperations on the binding. The requestor includes a list of supported algorithms in order of preference. The Directory chooses one from the list which conforms to its own security policy, and indicates this inthe response. The session keys to be used by the integrity and confidentialityalgorithms are established using the bindIntKeyInfo and bindConfKeyInfofields. Both the requestor and the Directory may contribute to theselection of the session key by generating a session key of appropriate length, and encrypting with the other's public key. The session key isthe exclusive OR of the two components. Note that the requestor mayleave the generation of the session key to the Directory, in which casethe above fields will be omitted from the bind argument. I do not know where that stuff came from. I have check all theamendments going into the third edition. Nowhere is the term ?session key? used. In addition, the term ?session key? is the only here and notused anywhere else in any part of X.500. The editing of the thirdedition was quite confusing. Hoyt did some, I believe the ITU-T TSB didsome, and I remember Herb Bertine, the chairman of the ITU-T study group, lost his patience and threatened to cancelled the whole X.500 project. I volunteered to complete the job. Patrick from Siemens did some work. Anyway, the two paragraphs above seem to come out of the blue. I am sure that I did not produce them. The NOTE1 following these two paragraphs says:NOTE 1 ? The credentials required for authentication may be carried by the Security Exchange Service Element (see ITU-T Rec. X.519 | ISO/IEC9594-5) in which case they are not present in the bind arguments or results.This note was added as part of the Operational Security amendment. As wehave removed any reference to the Security Exchange Service Element (SESE), this note should not be there. SESE was erroneous and nobodyknew how to fix it. It resulted in removing all about Operation Security except left-overs all over the place. The following paragraph was added by the Operation Security amendment.The bindIntAlgorithm, bindKeyInfo, bindConfAlgorithm, and bindConfKeycomponents are used to carry information used to protect subsequentoperations on the binding. To me it looks like it is talking about Operational Security, but I amnot sure. I was not part of the X.500 work at the time. It was after leaving IBM and before being sponsered by EIDQ. Erik Andersen Andersen's L-Service Mobile: +45 20 97 14 90 e-mail: <mailto:era@xxxxxxx> era@xxxxxxx <http://www.x500.eu/> http://www.x500.eu <http://www.x500standard.com/> http://www.x500standard.com/ -----Original Message----- From: x500standard-bounce@xxxxxxxxxxxxx [mailto:x500standard-bounce@xxxxxxxxxxxxx] On Behalf Of Jean-Paul Lemaire Sent: 14. juni 2008 14:05 To: x500standard@xxxxxxxxxxxxx; 'SG17-Q2'Subject: [x500standard] Re: FW: Operational securityErik,I forgot to answer to your previous email about that and I apologize forthat. I think there is no redundant information in the Bind. I agree with your text for 8.1.1 (which contains the correction of DTC 1). Best regards, Jean-Paul._____De : x500standard-bounce@xxxxxxxxxxxxx[mailto:x500standard-bounce@xxxxxxxxxxxxx] De la part de Erik AndersenEnvoyé : samedi 14 juin 2008 10:39 À : Directory list; SG17-Q2Objet : [x500standard] FW: Operational securityHi Folks,I never got any reaction on below message and I gave up resolving the issue myself due to lack of time. If there is redundant information inthe Bind, it will stay there, at least for a while. Erik Andersen Andersen's L-Service Mobile: +45 20 97 14 90 e-mail: era@xxxxxxxhttp://www.x500.eu <http://www.x500.eu/> <http://www.x500standard.com/> http://www.x500standard.com/-----Original Message-----From: Erik Andersen [mailto:era@xxxxxxx] Sent: 1. maj 2008 18:05To: Directory list; SG17-Q2 (tsg17q2@xxxxxxx)Subject: Operational securityHi Folks,I seem to be continuously tangling with old litter from the Operational Security amendment. It has cost me an enormous amount of time, first to try to clean it up and having failed on that then to clean it out. I believe, we still have something left in the Bind. I have produces a small piece of text to show the difference between the current state of Bind and how it looked in the second (1993) edition. Most of what has been added we want to keep, but some should probably be deleted. Couldyou please advice me on what to keep and what to bin? Erik Andersen Andersen's L-Service Mobile: +45 20 97 14 90 e-mail: <mailto:era@xxxxxxx> era@xxxxxxx <http://www.x500.eu/> http://www.x500.eu <http://www.x500standard.com/> http://www.x500standard.com/
----- www.x500standard.com: The central source for information on the X.500 Directory Standard.