Hi Jean-Paul and others,
I have several concerns and let me be a little more specific.
The following was added into the third edition (1997) of X.511:
The bindIntAlgorithm and bindConfAlgorithm components are used to
negotiate the cryptographic algorithms used to protect subsequent
operations on the binding. The requestor includes a list of
supported
algorithms in order of preference. The Directory chooses one from
the
list which conforms to its own security policy, and indicates this
in
the response.
The session keys to be used by the integrity and confidentiality
algorithms are established using the bindIntKeyInfo and
bindConfKeyInfo
fields. Both the requestor and the Directory may contribute to the
selection of the session key by generating a session key of
appropriate
length, and encrypting with the other's public key. The session key
is
the exclusive OR of the two components. Note that the requestor may
leave the generation of the session key to the Directory, in which
case
the above fields will be omitted from the bind argument.
I do not know where that stuff came from. I have check all the
amendments going into the third edition. Nowhere is the term
?session
key? used. In addition, the term ?session key? is the only here and
not
used anywhere else in any part of X.500. The editing of the third
edition was quite confusing. Hoyt did some, I believe the ITU-T TSB
did
some, and I remember Herb Bertine, the chairman of the ITU-T study
group, lost his patience and threatened to cancelled the whole X.500
project. I volunteered to complete the job. Patrick from Siemens did
some work. Anyway, the two paragraphs above seem to come out of the
blue. I am sure that I did not produce them.
The NOTE1 following these two paragraphs says:
NOTE 1 ? The credentials required for authentication may be carried
by
the Security Exchange Service Element (see ITU-T Rec. X.519 |
ISO/IEC
9594-5) in which case they are not present in the bind arguments or
results.
This note was added as part of the Operational Security amendment.
As we
have removed any reference to the Security Exchange Service Element
(SESE), this note should not be there. SESE was erroneous and nobody
knew how to fix it. It resulted in removing all about Operation
Security
except left-overs all over the place.
The following paragraph was added by the Operation Security
amendment.
The bindIntAlgorithm, bindKeyInfo, bindConfAlgorithm, and
bindConfKey
components are used to carry information used to protect subsequent
operations on the binding.
To me it looks like it is talking about Operational Security, but I
am
not sure. I was not part of the X.500 work at the time. It was after
leaving IBM and before being sponsered by EIDQ.
Erik Andersen
Andersen's L-Service
Mobile: +45 20 97 14 90
e-mail: <mailto:era@xxxxxxx> era@xxxxxxx
<http://www.x500.eu/> http://www.x500.eu
<http://www.x500standard.com/> http://www.x500standard.com/
-----Original Message-----
From: x500standard-bounce@xxxxxxxxxxxxx
[mailto:x500standard-bounce@xxxxxxxxxxxxx] On Behalf Of Jean-Paul
Lemaire
Sent: 14. juni 2008 14:05
To: x500standard@xxxxxxxxxxxxx; 'SG17-Q2'
Subject: [x500standard] Re: FW: Operational security
Erik,
I forgot to answer to your previous email about that and I apologize
for
that. I think there is no redundant information in the Bind. I agree
with your text for 8.1.1 (which contains the correction of DTC 1).
Best regards,
Jean-Paul.
_____
De : x500standard-bounce@xxxxxxxxxxxxx
[mailto:x500standard-bounce@xxxxxxxxxxxxx] De la part de Erik
Andersen
Envoyé : samedi 14 juin 2008 10:39
À : Directory list; SG17-Q2
Objet : [x500standard] FW: Operational security
Hi Folks,
I never got any reaction on below message and I gave up resolving
the
issue myself due to lack of time. If there is redundant information
in
the Bind, it will stay there, at least for a while.
Erik Andersen
Andersen's L-Service
Mobile: +45 20 97 14 90
e-mail: era@xxxxxxx
http://www.x500.eu <http://www.x500.eu/>
<http://www.x500standard.com/> http://www.x500standard.com/
-----Original Message-----
From: Erik Andersen [mailto:era@xxxxxxx]
Sent: 1. maj 2008 18:05
To: Directory list; SG17-Q2 (tsg17q2@xxxxxxx)
Subject: Operational security
Hi Folks,
I seem to be continuously tangling with old litter from the
Operational
Security amendment. It has cost me an enormous amount of time,
first to
try to clean it up and having failed on that then to clean it out.
I believe, we still have something left in the Bind. I have produces
a
small piece of text to show the difference between the current state
of
Bind and how it looked in the second (1993) edition. Most of what
has
been added we want to keep, but some should probably be deleted.
Could
you please advice me on what to keep and what to bin?
Erik Andersen
Andersen's L-Service
Mobile: +45 20 97 14 90
e-mail: <mailto:era@xxxxxxx> era@xxxxxxx
<http://www.x500.eu/> http://www.x500.eu
<http://www.x500standard.com/> http://www.x500standard.com/
