[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: DN revision
At 12:48 AM 4/17/01, Kurt D. Zeilenga wrote:
>In addition, security considerations related to the use of other
>names and/or alternative DN string representations should be
>detailed.
I offer this additional security considerations regarding
the use of other names.
5.3. Use of Other Names
Attribute type names are not unique. A string representation
generated with names other than those in the Section 2.3 table is
ambiguous. That is, two applications may recognize the string as
representing two different DNs possibly associated with two different
entries. This may lead to a wide range of unexpected behaviors
which can have both direct and indirect impacts upon security.
For example, a distinguished name consisting of one RDN with one
AVA, in which the type known locally as FOO and the value is of
the octetString "BAR" could be represented in LDAP as the string
FOO=BAR. As the name FOO does not uniquely identify an attribute
type, the DN FOO=BAR is ambiguous. That is, FOO could be recognized
as the attribute type 1.1.1 by one application and 1.2.3.4 in
another and not recognized by another. This may lead to operations
not behaving as intended.
Applications desiring to generate an unambiguous string representation
of a DN SHOULD generate string representation per section 2, not
use names other than those in the Section 2.3 table, and while
taking 5.2 into consideration.