Security - Authentication and Access Control
If the X500 directory service is to really take off many syst
administrators all over the world will need to be convinced that
the information it contains will not compromise the security of
their sites. Obviously certain information which is of legitimate
use to some users of the directory could be put to harmful use by
other more mallicious people roaming around the directory. The security of
the X500 directory was one of the issues which the people designing the
original 1988 standard did not get around to solving difinitively so it
was not part of that of that standard. However they made some recomendations
about security and the 1993 revision specified some standards for security.
To understand this overview of security you should have a basic familiarity with
the basic components to the directory - DUA's, DSA's and the like. If you come
across any terms which you do not understand you might try other
sections of this overview such as
The security of the network can be broken into two relatively distinct areas.
When a user, or an application acting on behalf of some user wishes to
connect to the directory we must establish if they are who they claim to
be. Also when some element of the network, say a DSA requests information
from another DSA it must be sure that the information it receives in response
came from that DSA and has not been tampered with by the network.
Having established definitively who a user is we must decide which parts of
the directory that person should be allowed to access. More specifically we
must decide what operations this particular user can carry out on a particular
entry on the user eg we distinguish between the ability to read a piece of
data and the ability to alter it.