X.500 Standard status
(Implementors' Guide)

X.509 Related activities

How to be involved

More Information

Tutorial section 1
X.500 General

Tutorial section 2
X.509 specific

Other PKI organizations

edit SideBar


X.500 Service Concept

From the very beginning of the development the X.500 Directory Specifications were seen as a specification of a single directory providing a global service both with respect to geography as well as to applications.

The ITU-T Rec. F.510 describes the directory service for a very particular purpose, namely its use for retrieval of telephone number, e-mail address, Internet address, etc. F.510 is a service-oriented specification not assuming any particular directory technology and it is not making use of X.500 terminology.

The F.510 specifies a restricted service in the sense that it specifies in some details what type of directory enquiries can be made and what information can be returned. The service is to be closely controlled and restricted by the service provider. This is somewhat different from the traditional directory service view. It can therefore be useful to analyse two extremities of directory service views:

  • the global directory service view; and
  • the focused directory service view.

These extremities are expanded upon on this page. It is, of course, possible to take a view somewhere in the middle.

The Global Directory Service View

The global directory service view
Figure 1 - The global directory service view

Figure 1 illustrates the global service view. Here, a directory is viewed as a set of interconnected directory servers (DSAs). In this traditional directory service view, organizations, e.g. service providers, add information into entries in such directory servers. The entries can then be browsed, listed, searched, read, etc. for whatever purposes the user might have.

In traditional X.500 thinking the directory service is what can be obtained through some client (e.g. through DAP, LDAP or the Web). In principle, a user can through a single, general user interface search any area or the DIT, construct a search filter in any way, and request any information and get it. The only restriction on such a service is access control applied to protect sensitive information. Also local restrictions may be applied. The access control is purely based on user identity and not on the particular service being provided. Current X.500 access control can protect individual pieces of information, but it does not take into account that even when pieces of information may not individually be sensitive, a combination of non-sensitive information may in itself be sensitive. Neither does access control take into account that the information in the directory may be a substantial investment to be protected for other purposes than sensitivity.

The Focused Directory Service View

The focused service view
Figure 2 - The focused service view

In the focused service view the user does not see the directory as a repository for all kind of information distributed and organized in a structured way. The user sees the directory as a system that gives a particular well-defined service to serve a particular need as illustrated in figure 2. A directory system may provide several services. However, the user may see such services as distinct and unrelated services, each having a separate user interface adapted to the particular service.

The focused service view as it relates to the user

A user has some perception of a directory service, such as:

  • The user knows about the information to be used as input in the search request, such as personal name, street name, etc.
  • The user does not know anything about directory concepts, such a base entry, subsets, DIT, DIT structure, subschemas, contexts, attribute types, object classes, etc., and should not be required to know about such things.
  • If a search fails or partly fails, the user wants to get information back related to the information given in the search request. In exception cases a user may get error messages related to temporary system problems, like "country not currently accessible". The user does not want to get empty results with no indication why it is empty; he/she does not want to get technology oriented error messages, such as invalid reference, unavailable critical extension, invalid subset, etc. Such error information annoys the user. Such information is only for debugging purposes, not to be used as user feedback.
  • Input information to a search should not be taken too literal. In a White Pages service, a user may specify a location that is the neighboring locality with respect to correct locality, or a user may specify a location not directly reflected in the directory. The user expects the directory to cope with that situation. Similarly, in a Yellow Pages search, the user may specify a business category not mapping directly to the business categories as reflected in the directory.

The focused service view as it relates to the service provider

A directory service provider also has some perception about the service to be provided:

  • Knows about the information available with respect to completeness, accurateness and timeliness. As an example, an administrator may know that all postal addressing information is very accurate, as the information has been checked against an official address database. Similarly, the administrator may know that information about profession is not available for many person entries and that if such information is available, it is not reliable. Such knowledge of the information quality can be used to tailor searches in such a way that the user has a better chance of successful searches. A search can also be tailored in such a way that only high quality information is returned to the user, while more suspect information is withheld or only given to a particular user group.
  • The information established in a directory system may represent a substantial investment. This information is therefore only provided in a limited way under strict conditions to protect and to get return on that investment. Users are not allowed to perform arbitrary searches, but only searches, which in details have been pre-defined by the administrative authorities. The White Pages service as described in ITU-T Rec. F.510 gives examples of such well-defined searches.
  • Only certain parts of the directory (parts of the DIT) are available for a particular service.
  • Legal and privacy issues may affect the service provided. Examples of things that might have to be considered are:
    • picking out a particular ethnic group by searching on certain letter combinations,
    • list all residential persons on a particular street
    • search for people of a certain profession, e.g. for junk mail purposes
    • etc

Service-related Definitions

Service Type

A globally uniquely identification of a service capability for a particular purpose within a well-defined scope, e.g. search for a particular type of entries within an area of the DIT. Not all aspects of a service-type may be available to all users.

Named Service

A collection of service-types that together provide an overall service, e.g. a White Pages service or a Yellow Pages service.

User Class

An identified set of users that due to their, functions, position in an organization, etc., can invoke certain aspects of the service-types within a named-service. Different groups of users identified by their names within a user-class may see variations in the service provided as well as having different access control rights.

Search Rule

The detailed specification of the service aspects provided for a given service-type to a given user-class as adapted to a particular group of users within that user-class.

Figure 3 - Service-related definitions

To further expand on the service view, it is useful to consider some service-related definitions that have been included in X.500 as shown in figure 3.

A service-type is a directory search with a very focused purpose. Searching for an EDI-user with a particular trading profile could be a service-type. To be able to identify a service-type, it is given a unique ASN.1 object identifier. This allows a community, such as an EDI community, to define service-types that are globally recognized and unique. The number of defined service-types could potentially be quite large.

A collection of related service-types is called a named-service. The F.510 White Pages service is such a named-service that includes service-types for locating telecommunications subscriber information.

A service-type may be adapted to a particular user-class. F.510 identifies two user-classes, namely telephone operators and general users. However, other user-classes are envisioned, such as administrators, users in emergency centers, police, intelligence service, etc. For a Yellow Pages service user-classes could be consumers, retailers, governmental institutions, agents, etc.

A search-rule is a detailed specification of a service-type as adapted to a certain user-class. Both the service-type identification and the user-class identification are part of a search-rule definition. The X.500 representation of the search-rule concept is a rather complicated ASN.1 structure. Whenever a search is performed, it has to be performed by invoking a particular search-rule, also called the governing-search-rule.

Several search-rules may be defined for each service-type and user-class combination. This allows different user groups to experience variations in the service. The reason for such variations could be:

  • Differentiation among countries: A service provider may provide different service to different countries for the same user-class.
  • Differentiation based on tariff: A service provider may have variations in the provided service based on tariff considerations.

The user group concept is not explicitly defined in the X.500 Specifications. This has caused some confusion. A user group is not a well-defined set of users. It can only be defined with respect to the individual search-rules. A user group with respect to a search rule is the set of users that can invoke the search-rule. This set of users may be a subset of the users in a user-class for the search-rule and it may include users outside that user-class. As an example, a user within a user-class with extended search rights may also invoke search-rules intended for a user-class with less elaborate search rights.

In X.500 terms, a user group is the set of users having invoke access right to the search-rule in question. This invoke right is controlled by traditional X.500 access control.

A search request that does not comply with any search-rule that may be invoked by the user is rejected.

White Pages named-service

The following is a list of White Pages service-types:

  • Search for state or province
  • Search for locality
  • Search for subscribers within locality
  • Search for subscribers group entries
  • Search for subscribers within state or province
  • Search for subscribers within country
  • Search for street address
  • Search for subscribers by street address
  • Search for subscriber by communications address

Yellow Pages named-service

While the F.510 in details specifies a White Pages named-service, it does provide some general service considerations, that also are applicable for Yellow Pages service. However, a detailed Yellow Pages service, e.g. to be applied within electronic commerce, is still to be defined. Below are given some example of what might be service-types within a Yellow Pages service.

  • Search for building services
  • Search for airline information
  • Search for certain goods
  • Search for entertainment
  • Search for a plumber
  • X
  • X
  • X

Library catalogue service

The following is a list of possible library catalogue service-types:

  • Search for author
  • Search for subject
  • X
  • X
  • X

Page Actions

Recent Changes

Group & Page

Back Links