X.500 Standard status
X.509 Related activities
How to be involved
Tutorial section 1
Tutorial section 2
Other PKI organizations
From the very beginning of the development the X.500 Directory Specifications were seen as a specification of a single directory providing a global service both with respect to geography as well as to applications.
The ITU-T Rec. F.510 describes the directory service for a very particular purpose, namely its use for retrieval of telephone number, e-mail address, Internet address, etc. F.510 is a service-oriented specification not assuming any particular directory technology and it is not making use of X.500 terminology.
The F.510 specifies a restricted service in the sense that it specifies in some details what type of directory enquiries can be made and what information can be returned. The service is to be closely controlled and restricted by the service provider. This is somewhat different from the traditional directory service view. It can therefore be useful to analyse two extremities of directory service views:
These extremities are expanded upon on this page. It is, of course, possible to take a view somewhere in the middle.
Figure 1 illustrates the global service view. Here, a directory is viewed as a set of interconnected directory servers (DSAs). In this traditional directory service view, organizations, e.g. service providers, add information into entries in such directory servers. The entries can then be browsed, listed, searched, read, etc. for whatever purposes the user might have.
In traditional X.500 thinking the directory service is what can be obtained through some client (e.g. through DAP, LDAP or the Web). In principle, a user can through a single, general user interface search any area or the DIT, construct a search filter in any way, and request any information and get it. The only restriction on such a service is access control applied to protect sensitive information. Also local restrictions may be applied. The access control is purely based on user identity and not on the particular service being provided. Current X.500 access control can protect individual pieces of information, but it does not take into account that even when pieces of information may not individually be sensitive, a combination of non-sensitive information may in itself be sensitive. Neither does access control take into account that the information in the directory may be a substantial investment to be protected for other purposes than sensitivity.
In the focused service view the user does not see the directory as a repository for all kind of information distributed and organized in a structured way. The user sees the directory as a system that gives a particular well-defined service to serve a particular need as illustrated in figure 2. A directory system may provide several services. However, the user may see such services as distinct and unrelated services, each having a separate user interface adapted to the particular service.
A user has some perception of a directory service, such as:
A directory service provider also has some perception about the service to be provided:
A globally uniquely identification of a service capability for a particular purpose within a well-defined scope, e.g. search for a particular type of entries within an area of the DIT. Not all aspects of a service-type may be available to all users.
A collection of service-types that together provide an overall service, e.g. a White Pages service or a Yellow Pages service.
An identified set of users that due to their, functions, position in an organization, etc., can invoke certain aspects of the service-types within a named-service. Different groups of users identified by their names within a user-class may see variations in the service provided as well as having different access control rights.
The detailed specification of the service aspects provided for a given service-type to a given user-class as adapted to a particular group of users within that user-class.
Figure 3 - Service-related definitions
To further expand on the service view, it is useful to consider some service-related definitions that have been included in X.500 as shown in figure 3.
A service-type is a directory search with a very focused purpose. Searching for an EDI-user with a particular trading profile could be a service-type. To be able to identify a service-type, it is given a unique ASN.1 object identifier. This allows a community, such as an EDI community, to define service-types that are globally recognized and unique. The number of defined service-types could potentially be quite large.
A collection of related service-types is called a named-service. The F.510 White Pages service is such a named-service that includes service-types for locating telecommunications subscriber information.
A service-type may be adapted to a particular user-class. F.510 identifies two user-classes, namely telephone operators and general users. However, other user-classes are envisioned, such as administrators, users in emergency centers, police, intelligence service, etc. For a Yellow Pages service user-classes could be consumers, retailers, governmental institutions, agents, etc.
A search-rule is a detailed specification of a service-type as adapted to a certain user-class. Both the service-type identification and the user-class identification are part of a search-rule definition. The X.500 representation of the search-rule concept is a rather complicated ASN.1 structure. Whenever a search is performed, it has to be performed by invoking a particular search-rule, also called the governing-search-rule.
Several search-rules may be defined for each service-type and user-class combination. This allows different user groups to experience variations in the service. The reason for such variations could be:
The user group concept is not explicitly defined in the X.500 Specifications. This has caused some confusion. A user group is not a well-defined set of users. It can only be defined with respect to the individual search-rules. A user group with respect to a search rule is the set of users that can invoke the search-rule. This set of users may be a subset of the users in a user-class for the search-rule and it may include users outside that user-class. As an example, a user within a user-class with extended search rights may also invoke search-rules intended for a user-class with less elaborate search rights.
In X.500 terms, a user group is the set of users having invoke access right to the search-rule in question. This invoke right is controlled by traditional X.500 access control.
A search request that does not comply with any search-rule that may be invoked by the user is rejected.
The following is a list of White Pages service-types:
While the F.510 in details specifies a White Pages named-service, it does provide some general service considerations, that also are applicable for Yellow Pages service. However, a detailed Yellow Pages service, e.g. to be applied within electronic commerce, is still to be defined. Below are given some example of what might be service-types within a Yellow Pages service.
The following is a list of possible library catalogue service-types: