idnits 2.17.1 

draft-findlay-ldap-groupofentries-00.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** It looks like you're using RFC 3978 boilerplate.  You should update this
     to the boilerplate described in the IETF Trust License Policy document
     (see https://trustee.ietf.org/license-info), which is required now.

  -- Found old boilerplate from RFC 3978, Section 5.1 on line 14.

  -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on
     line 185.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 196.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 203.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 209.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  == No 'Intended status' indicated for this document; assuming Proposed
     Standard

  == The page length should not exceed 58 lines per page, but there was 1
     longer page, the longest (page 1) being 231 lines


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The abstract seems to contain references ([2]), which it shouldn't. 
     Please replace those with straight textual mentions of the documents in
     question.

  == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses
     in the document.  If these are example addresses, they should be changed.

  ** The document seems to lack a both a reference to RFC 2119 and the
     recommended RFC 2119 boilerplate, even if it appears to use RFC 2119
     keywords. 

     RFC 2119 keyword, line 93: '...            MUST ( member $...'
     RFC 2119 keyword, line 95: '...            MAY ( businessCategory $...'
     RFC 2119 keyword, line 115: '...            MUST ( cn )...'
     RFC 2119 keyword, line 116: '...            MAY ( member $...'


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust Copyright Line does not match the
     current year

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (September 13, 2007) is 6063 days in the past.  Is
     this intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

     No issues found here.

     Summary: 3 errors (**), 0 flaws (~~), 4 warnings (==), 7 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	Network Working Group                                         A. Findlay
3	Internet-Draft                                            Skills 1st Ltd
4	Expires: March 16, 2008                               September 13, 2007

6	                  The LDAP groupOfEntries object class
7	                  draft-findlay-ldap-groupofentries-00

9	Status of this Memo

11	   By submitting this Internet-Draft, each author represents that any
12	   applicable patent or other IPR claims of which he or she is aware
13	   have been or will be disclosed, and any of which he or she becomes
14	   aware will be disclosed, in accordance with Section 6 of BCP 79.

16	   Internet-Drafts are working documents of the Internet Engineering
17	   Task Force (IETF), its areas, and its working groups.  Note that
18	   other groups may also distribute working documents as Internet-
19	   Drafts.

21	   Internet-Drafts are draft documents valid for a maximum of six months
22	   and may be updated, replaced, or obsoleted by other documents at any
23	   time.  It is inappropriate to use Internet-Drafts as reference
24	   material or to cite them other than as "work in progress."

26	   The list of current Internet-Drafts can be accessed at
27	   http://www.ietf.org/ietf/1id-abstracts.txt.

29	   The list of Internet-Draft Shadow Directories can be accessed at
30	   http://www.ietf.org/shadow.html.

32	   This Internet-Draft will expire on March 16, 2008.

34	Copyright Notice

36	   Copyright (C) The IETF Trust (2007).

38	Abstract

40	   This memo describes the LDAP groupOfEntries object class which is a
41	   replacement for the existing groupOfNames class.  The new class
42	   permits the creation of empty groups.

44	   If approved as a Standards Track document, this document will update
45	   RFC4519 [2]

47	Document Intent

49	   This document is intended to be, after appropriate review and
50	   revision, submitted to the RFC Editor as a Standards Track document.
51	   Distribution of this memo is unlimited.  Technical discussion of this
52	   document will take place on the IETF LDAP Extensions mailing list
53	   <ldapext@ietf.org>.  Please send editorial comments directly to the
54	   author <andrew.findlay@skills-1st.co.uk>

56	1.  Introduction

58	   A groupOfNames object class has existed since the earliest X.521 [1]
59	   standard.  It has an identical definition in LDAP (RFC4519 [2]).  The
60	   class is used to define entries holding DN-valued member attributes,
61	   each value pointing to an entry that represents a single member of
62	   the group being described, or to another entry of type groupOfNames.

64	   groupOfNames is a structural object class, so it is often the only
65	   class used in the definition of group objects.

67	   Experience has shown that the definition of groupOfNames causes
68	   difficulties in practice.  In particular, the fact that 'member' is a
69	   mandatory attribute means that it is not possible to create an empty
70	   group or to delete the last member from a group.  This leads to
71	   artificial tricks such as making every group a member of itself, or
72	   adding a dummy member to every group when it is created.  These
73	   tricks in turn make the management of groups more complex and prone
74	   to error.  Groups are commonly used to control access to resources,
75	   so management errors can lead to security risks.

77	   There does not appear to be any good reason for the 'member'
78	   attribute to be mandatory.  This memo describes a new object class
79	   called groupOfEntries that is equivalent to groupOfNames in all other
80	   respects but which makes 'member' an optional attribute.

82	2.  The existing groupOfNames object class

84	   RFC4519 [2] contains this definition:

86	   The 'groupOfNames' object class is the basis of an entry that
87	   represents a set of named objects including information related to
88	   the purpose or maintenance of the set.  (Source: X.521 [1])

90	         ( 2.5.6.9 NAME 'groupOfNames'
91	            SUP top
92	            STRUCTURAL
93	            MUST ( member $
94	                  cn )
95	            MAY ( businessCategory $
96	                  seeAlso $
97	                  owner $
98	                  ou $
99	                  o $
100	                  description ) )

102	   The inclusion of 'member' in the 'MUST' section of the definition
103	   prevents empty groups from being created.

105	3.  The groupOfEntries object class

107	   The 'groupOfEntries' object class is the basis of an entry that
108	   represents a set of named objects including information related to
109	   the purpose or maintenance of the set.  It should be used in
110	   preference to the 'groupOfNames' object class.

112	         ( 1.2.826.0.1.3458854.2.1.1.1 NAME 'groupOfEntries'
113	            SUP top
114	            STRUCTURAL
115	            MUST ( cn )
116	            MAY ( member $
117	                  businessCategory $
118	                  seeAlso $
119	                  owner $
120	                  ou $
121	                  o $
122	                  description ) )

124	   This object class allows groups to be empty.  In all other respects
125	   it behaves like the groupOfNames object class.

127	   The OID assigned to this object class is delegated by Skills 1st Ltd.

129	4.  Effect on other documents

131	   This draft deprecates the use of the groupOfNames object class in
132	   RFC4519 [2] and replaces it with the groupOfEntries class.

134	5.  IANA considerations

136	   It is requested that IANA register upon Standards Action the
137	   groupOfEntries Object Identifier Descriptor and its associated OID.

139	6.  Security considerations

141	   Groups are commonly used to define access permissions to directory
142	   entries and resources in other services.  Allowing for empty groups
143	   avoids the risks associated with leaving a dummy placeholder member
144	   in group entries, so security is improved.

146	Appendix A.  Acknowledgements

148	   The author gratefully acknowledges the contributions of Michael
149	   Stroeder to the first draft of this document.

151	7.  Informative References

153	   [1]  "The Directory: Selected Object Classes", ITU-T
154	        Recommendation X.521, March 1988.

156	   [2]  "LDAP: Schema for User Applications", RFC 4519, June 2006.

158	Author's Address

160	   Andrew Findlay
161	   Skills 1st Ltd
162	   2 Cedar Chase
163	   Taplow
164	   Maidenhead  SL6 0EU
165	   GB

167	   Phone: +44 1628 782565
168	   Email: andrew.findlay@skills-1st.co.uk
169	   URI:   http://www.skills-1st.co.uk/

171	Full Copyright Statement

173	   Copyright (C) The IETF Trust (2007).

175	   This document is subject to the rights, licenses and restrictions
176	   contained in BCP 78, and except as set forth therein, the authors
177	   retain all their rights.

179	   This document and the information contained herein are provided on an
180	   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
181	   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
182	   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
183	   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
184	   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
185	   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

187	Intellectual Property

189	   The IETF takes no position regarding the validity or scope of any
190	   Intellectual Property Rights or other rights that might be claimed to
191	   pertain to the implementation or use of the technology described in
192	   this document or the extent to which any license under such rights
193	   might or might not be available; nor does it represent that it has
194	   made any independent effort to identify any such rights.  Information
195	   on the procedures with respect to rights in RFC documents can be
196	   found in BCP 78 and BCP 79.

198	   Copies of IPR disclosures made to the IETF Secretariat and any
199	   assurances of licenses to be made available, or the result of an
200	   attempt made to obtain a general license or permission for the use of
201	   such proprietary rights by implementers or users of this
202	   specification can be obtained from the IETF on-line IPR repository at
203	   http://www.ietf.org/ipr.

205	   The IETF invites any interested party to bring to its attention any
206	   copyrights, patents or patent applications, or other proprietary
207	   rights that may cover technology that may be required to implement
208	   this standard.  Please address the information to the IETF at
209	   ietf-ipr@ietf.org.

211	Acknowledgment

213	   Funding for the RFC Editor function is provided by the IETF
214	   Administrative Support Activity (IASA).