Hi Jean-Paul and others, I have several concerns and let me be a little more specific. The following was added into the third edition (1997) of X.511: The bindIntAlgorithm and bindConfAlgorithm components are used to negotiate the cryptographic algorithms used to protect subsequent operations on the binding. The requestor includes a list of supported algorithms in order of preference. The Directory chooses one from the list which conforms to its own security policy, and indicates this in the response. The session keys to be used by the integrity and confidentiality algorithms are established using the bindIntKeyInfo and bindConfKeyInfo fields. Both the requestor and the Directory may contribute to the selection of the session key by generating a session key of appropriate length, and encrypting with the other's public key. The session key is the exclusive OR of the two components. Note that the requestor may leave the generation of the session key to the Directory, in which case the above fields will be omitted from the bind argument. I do not know where that stuff came from. I have check all the amendments going into the third edition. Nowhere is the term ?session key? used. In addition, the term ?session key? is the only here and not used anywhere else in any part of X.500. The editing of the third edition was quite confusing. Hoyt did some, I believe the ITU-T TSB did some, and I remember Herb Bertine, the chairman of the ITU-T study group, lost his patience and threatened to cancelled the whole X.500 project. I volunteered to complete the job. Patrick from Siemens did some work. Anyway, the two paragraphs above seem to come out of the blue. I am sure that I did not produce them. The NOTE1 following these two paragraphs says: NOTE 1 ? The credentials required for authentication may be carried by the Security Exchange Service Element (see ITU-T Rec. X.519 | ISO/IEC 9594-5) in which case they are not present in the bind arguments or results. This note was added as part of the Operational Security amendment. As we have removed any reference to the Security Exchange Service Element (SESE), this note should not be there. SESE was erroneous and nobody knew how to fix it. It resulted in removing all about Operation Security except left-overs all over the place. The following paragraph was added by the Operation Security amendment. The bindIntAlgorithm, bindKeyInfo, bindConfAlgorithm, and bindConfKey components are used to carry information used to protect subsequent operations on the binding. To me it looks like it is talking about Operational Security, but I am not sure. I was not part of the X.500 work at the time. It was after leaving IBM and before being sponsered by EIDQ. Erik Andersen Andersen's L-Service Mobile: +45 20 97 14 90 e-mail: <mailto:era@xxxxxxx> era@xxxxxxx <http://www.x500.eu/> http://www.x500.eu <http://www.x500standard.com/> http://www.x500standard.com/ -----Original Message----- From: x500standard-bounce@xxxxxxxxxxxxx [mailto:x500standard-bounce@xxxxxxxxxxxxx] On Behalf Of Jean-Paul Lemaire Sent: 14. juni 2008 14:05 To: x500standard@xxxxxxxxxxxxx; 'SG17-Q2' Subject: [x500standard] Re: FW: Operational security Erik, I forgot to answer to your previous email about that and I apologize for that. I think there is no redundant information in the Bind. I agree with your text for 8.1.1 (which contains the correction of DTC 1). Best regards, Jean-Paul. _____ De : x500standard-bounce@xxxxxxxxxxxxx [mailto:x500standard-bounce@xxxxxxxxxxxxx] De la part de Erik Andersen Envoyé : samedi 14 juin 2008 10:39 À : Directory list; SG17-Q2 Objet : [x500standard] FW: Operational security Hi Folks, I never got any reaction on below message and I gave up resolving the issue myself due to lack of time. If there is redundant information in the Bind, it will stay there, at least for a while. Erik Andersen Andersen's L-Service Mobile: +45 20 97 14 90 e-mail: era@xxxxxxx http://www.x500.eu <http://www.x500.eu/> <http://www.x500standard.com/> http://www.x500standard.com/ -----Original Message----- From: Erik Andersen [mailto:era@xxxxxxx] Sent: 1. maj 2008 18:05 To: Directory list; SG17-Q2 (tsg17q2@xxxxxxx) Subject: Operational security Hi Folks, I seem to be continuously tangling with old litter from the Operational Security amendment. It has cost me an enormous amount of time, first to try to clean it up and having failed on that then to clean it out. I believe, we still have something left in the Bind. I have produces a small piece of text to show the difference between the current state of Bind and how it looked in the second (1993) edition. Most of what has been added we want to keep, but some should probably be deleted. Could you please advice me on what to keep and what to bin? Erik Andersen Andersen's L-Service Mobile: +45 20 97 14 90 e-mail: <mailto:era@xxxxxxx> era@xxxxxxx <http://www.x500.eu/> http://www.x500.eu <http://www.x500standard.com/> http://www.x500standard.com/