idnits 2.17.1 draft-ietf-ldapbis-dn-16.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3667, Section 5.1 on line 24. -- Found old boilerplate from RFC 3978, Section 5.5 on line 665. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 638. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 645. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 651. ** Found boilerplate matching RFC 3978, Section 5.4, paragraph 1 (on line 657), which is fine, but *also* found old RFC 2026, Section 10.4C, paragraph 1 text on line 41. ** The document seems to lack an RFC 3978 Section 5.1 IPR Disclosure Acknowledgement -- however, there's a paragraph with a matching beginning. Boilerplate error? ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. ** The document uses RFC 3667 boilerplate or RFC 3978-like boilerplate instead of verbatim RFC 3978 boilerplate. After 6 May 2005, submission of drafts without verbatim RFC 3978 boilerplate is not accepted. The following non-3978 patterns matched text found in the document. That text should be removed or replaced: By submitting this Internet-Draft, I certify that any applicable patent or other IPR claims of which I am aware have been disclosed, or will be disclosed, and any of which I become aware will be disclosed, in accordance with RFC 3668. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack an Authors' Addresses Section. == The 'Obsoletes: ' line in the draft header should list only the _numbers_ of the RFCs which will be obsoleted by this document (if approved); it should not include the word 'RFC' in the list. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords -- however, there's a paragraph with a matching beginning. Boilerplate error? (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (10 February 2005) is 6977 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'AuthMeth' is mentioned on line 387, but not defined == Unused Reference: 'Schema' is defined on line 472, but no explicit reference was found in the text == Unused Reference: 'ASCII' is defined on line 481, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2234 (Obsoleted by RFC 4234) -- Possible downref: Non-RFC (?) normative reference: ref. 'Unicode' -- No information found for draft-ietf-ldapbis-models-xx - is the name correct? -- Possible downref: Normative reference to a draft: ref. 'Models' -- No information found for draft-ietf-ldapbis-roadmap-xx - is the name correct? -- Possible downref: Normative reference to a draft: ref. 'Roadmap' -- No information found for draft-ietf-ldapbis-protocol-xx - is the name correct? -- Possible downref: Normative reference to a draft: ref. 'Protocol' -- No information found for draft-ietf-ldapbis-syntaxes-xx - is the name correct? -- Possible downref: Normative reference to a draft: ref. 'Syntaxes' -- No information found for draft-ietf-ldapbis-user-schema-xx - is the name correct? -- Possible downref: Normative reference to a draft: ref. 'Schema' -- Possible downref: Non-RFC (?) normative reference: ref. 'REGISTRY' -- No information found for draft-ietf-ldapbis-bcp64-xx - is the name correct? Summary: 9 errors (**), 0 flaws (~~), 6 warnings (==), 21 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 INTERNET-DRAFT Editor: Kurt D. Zeilenga 3 Intended Category: Standard Track OpenLDAP Foundation 4 Expires in six months 10 February 2005 5 Obsoletes: RFC 2253 7 LDAP: String Representation of Distinguished Names 8 10 Status of Memo 12 This document is intended to be, after appropriate review and 13 revision, submitted to the RFC Editor as a Standard Track document 14 replacing RFC 2253. Distribution of this memo is unlimited. 15 Technical discussion of this document will take place on the IETF LDAP 16 Revision (LDAPBIS) Working Group mailing list 17 . Please send editorial comments directly 18 to the document editor . 20 By submitting this Internet-Draft, I accept the provisions of Section 21 4 of RFC 3667. By submitting this Internet-Draft, I certify that any 22 applicable patent or other IPR claims of which I am aware have been 23 disclosed, or will be disclosed, and any of which I become aware will 24 be disclosed, in accordance with RFC 3668. 26 Internet-Drafts are working documents of the Internet Engineering Task 27 Force (IETF), its areas, and its working groups. Note that other 28 groups may also distribute working documents as Internet-Drafts. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference material 33 or to cite them other than as "work in progress." 35 The list of current Internet-Drafts can be accessed at 36 http://www.ietf.org/1id-abstracts.html 38 The list of Internet-Draft Shadow Directories can be accessed at 39 http://www.ietf.org/shadow.html 41 Copyright (C) The Internet Society (2005). All Rights Reserved. 43 Please see the Full Copyright section near the end of this document 44 for more information. 46 Abstract 48 The X.500 Directory uses distinguished names (DNs) as primary keys to 49 entries in the directory. This document defines the string 50 representation used in the Lightweight Directory Access Protocol 51 (LDAP) to transfer distinguished names. The string representation is 52 designed to give a clean representation of commonly used distinguished 53 names, while being able to represent any distinguished name. 55 1. Background and Intended Usage 57 In X.500-based directory systems [X.500], including those accessed 58 using the Lightweight Directory Access Protocol (LDAP) [Roadmap], 59 distinguished names (DNs) are used to unambiguously refer to directory 60 entries [X.501][Models]. 62 The structure of a DN [X.501] is described in terms of ASN.1 [X.680]. 63 In the X.500 Directory Access Protocol [X.511] (and other ITU-defined 64 directory protocols), DNs are encoded using the Basic Encoding Rules 65 (BER) [X.690]. In LDAP, DNs are represented in the string form 66 described in this document. 68 It is important to have a common format to be able to unambiguously 69 represent a distinguished name. The primary goal of this 70 specification is ease of encoding and decoding. A secondary goal is 71 to have names that are human readable. It is not expected that LDAP 72 implementations with a human user interface would display these 73 strings directly to the user, but would most likely be performing 74 translations (such as expressing attribute type names in the local 75 national language). 77 This document defines the string representation of Distinguished Names 78 used in LDAP [Protocol][Syntaxes]. Section 2 details the RECOMMENDED 79 algorithm for converting a DN from its ASN.1 structured representation 80 to a string. Section 3 details how to convert a DN from a string to a 81 ASN.1 structured representation. 83 While other documents may define other algorithms for converting a DN 84 from its ASN.1 structured representation to a string, all algorithms 85 MUST produce strings which adhere to the requirements of Section 3. 87 This document does not define a canonical string representation for 88 DNs. Comparison of DNs for equality is to be performed in accordance 89 with the distinguishedNameMatch matching rule [Syntaxes]. 91 This document is a integral part of the LDAP technical specification 92 [Roadmap] which obsoletes the previously defined LDAP technical 93 specification, RFC 3377, in its entirety. This document obsoletes RFC 94 2253. Changes since RFC 2253 are summarized in Appendix B. 96 This specification assumes familiarity with X.500 [X.500] and the 97 concept of Distinguished Name [X.501][Models]. 99 1.1. Conventions 101 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 102 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 103 document are to be interpreted as described in BCP 14 [RFC2119]. 105 Character names in this document use the notation for code points and 106 names from the Unicode Standard [Unicode]. For example, the letter 107 "a" may be represented as either or . 109 Note: a glossary of terms used in Unicode can be found in [Glossary]. 110 Information on the Unicode character encoding model can be found in 111 [CharModel]. 113 2. Converting DistinguishedName from ASN.1 to a String 115 X.501 [X.501] defines the ASN.1 [X.680] structure of distinguished 116 name. The following is a variant provided for discussion purposes. 118 DistinguishedName ::= RDNSequence 120 RDNSequence ::= SEQUENCE OF RelativeDistinguishedName 122 RelativeDistinguishedName ::= SET SIZE (1..MAX) OF 123 AttributeTypeAndValue 125 AttributeTypeAndValue ::= SEQUENCE { 126 type AttributeType, 127 value AttributeValue } 129 This section defines the RECOMMENDED algorithm for converting a 130 distinguished name from an ASN.1 structured representation to an UTF-8 131 [RFC3629] encoded Unicode [Unicode] character string representation. 132 Other documents may describe other algorithms for converting a 133 distinguished name to a string, but only strings which conform to the 134 grammar defined in Section 3 SHALL be produced by LDAP 135 implementations. 137 2.1. Converting the RDNSequence 138 If the RDNSequence is an empty sequence, the result is the empty or 139 zero length string. 141 Otherwise, the output consists of the string encodings of each 142 RelativeDistinguishedName in the RDNSequence (according to Section 143 2.2), starting with the last element of the sequence and moving 144 backwards toward the first. 146 The encodings of adjoining RelativeDistinguishedNames are separated by 147 a comma (',' U+002C) character. 149 2.2. Converting RelativeDistinguishedName 151 When converting from an ASN.1 RelativeDistinguishedName to a string, 152 the output consists of the string encodings of each 153 AttributeTypeAndValue (according to Section 2.3), in any order. 155 Where there is a multi-valued RDN, the outputs from adjoining 156 AttributeTypeAndValues are separated by a plus sign ('+' U+002B) 157 character. 159 2.3. Converting AttributeTypeAndValue 161 The AttributeTypeAndValue is encoded as the string representation of 162 the AttributeType, followed by an equals sign ('=' U+003D) character, 163 followed by the string representation of the AttributeValue. The 164 encoding of the AttributeValue is given in Section 2.4. 166 If the AttributeType is defined to have a short name (descriptor) 167 [Models] and that short name is known to be registered 168 [REGISTRY][BCP64bis] as identifying the AttributeType, that short 169 name, a , is used. Otherwise the AttributeType is encoded as 170 the dotted-decimal encoding, a , of its OBJECT IDENTIFIER. 171 The and is defined in [Models]. 173 Implementations are not expected to dynamically update their knowledge 174 of registered short names. However, implementations SHOULD provide a 175 mechanism to allow its knowledge of registered short names to be 176 updated. 178 2.4. Converting an AttributeValue from ASN.1 to a String 180 If the AttributeType is of the dotted-decimal form, the AttributeValue 181 is represented by an number sign ('#' U+0023) character followed by 182 the hexadecimal encoding of each of the octets of the BER encoding of 183 the X.500 AttributeValue. This form is also used when the syntax of 184 the AttributeValue does not have a LDAP-specific [Syntaxes, Section 185 3.1] string encoding defined for it or the LDAP-specific string 186 encoding is not restricted to UTF-8 encoded Unicode characters. This 187 form may also be used in other cases, such as when a reversible string 188 representation is desired (see Section 5.2). 190 Otherwise, if the AttributeValue is of a syntax which has a 191 LDAP-specific string encoding, the value is converted first to a UTF-8 192 encoded Unicode string according to its syntax specification (see 193 [Syntaxes, Section 3.3] for examples). If that UTF-8 encoded Unicode 194 string does not have any of the following characters which need 195 escaping, then that string can be used as the string representation of 196 the value. 198 - a space (' ' U+0020) or number sign ('#' U+0023) occurring at 199 the beginning of the string; 201 - a space (' ' U+0020) character occurring at the end of the 202 string; 204 - one of the characters '"', '+', ',', ';', '<', '>', or '\' 205 (U+0022, U+002B, U+002C, U+003B, U+003C, U+003E, or U+005C 206 respectively); 208 - the null (U+0000) character. 210 Other characters may be escaped. 212 Each octet of the character to be escaped is replaced by a backslash 213 and two hex digits, which form a single octet in the code of the 214 character. Alternatively, if and only if the character to be escaped 215 is one of 217 ' ', '"', '#', '+', ',', ';', '<', '=', '>', or '\' 218 (U+0020, U+0022, U+0023, U+002B, U+002C, U+003B, 219 U+003C, U+003D, U+003E, U+005C respectively) 221 it can be prefixed by a backslash ('\' U+005C). 223 Examples of the escaping mechanism are shown in Section 4. 225 3. Parsing a String back to a Distinguished Name 227 The string representation of Distinguished Names is restricted to 228 UTF-8 [RFC3629] encoded Unicode [Unicode] characters. The structure 229 of this string representation is specified using the following 230 Augmented BNF [RFC2234] grammar: 232 distinguishedName = [ relativeDistinguishedName 233 *( COMMA relativeDistinguishedName ) ] 234 relativeDistinguishedName = attributeTypeAndValue 235 *( PLUS attributeTypeAndValue ) 236 attributeTypeAndValue = attributeType EQUALS attributeValue 237 attributeType = descr / numericoid 238 attributeValue = string / hexstring 240 ; The following characters are to be escaped when they appear 241 ; in the value to be encoded: ESC, one of , leading 242 ; SHARP or SPACE, trailing SPACE, and NULL. 243 string = [ ( leadchar / pair ) [ *( stringchar / pair ) 244 ( trailchar / pair ) ] ] 246 leadchar = LUTF1 / UTFMB 247 LUTF1 = %x01-1F / %x21 / %x24-2A / %x2D-3A / 248 %x3D / %x3F-5B / %x5D-7F 250 trailchar = TUTF1 / UTFMB 251 TUTF1 = %x01-1F / %x21 / %x23-2A / %x2D-3A / 252 %x3D / %x3F-5B / %x5D-7F 254 stringchar = SUTF1 / UTFMB 255 SUTF1 = %x01-21 / %x23-2A / %x2D-3A / 256 %x3D / %x3F-5B / %x5D-7F 258 pair = ESC ( ESC / special / hexpair ) 259 special = escaped / SPACE / SHARP / EQUALS 260 escaped = DQUOTE / PLUS / COMMA / SEMI / LANGLE / RANGLE 261 hexstring = SHARP 1*hexpair 262 hexpair = HEX HEX 264 where the productions , , , , 265 , , , , , , , , 266 , , are defined in [Models]. 268 Each , either a or a , refers to an 269 attribute type of an attribute value assertion (AVA). The 270 is followed by a and an . 271 The is either in or form. 273 If in form, a LDAP string representation asserted value can 274 be obtained by replacing (left-to-right, non-recursively) each 275 appearing in the as follows: 276 replace with ; 277 replace with ; 278 replace with the octet indicated by the . 280 If in form, a BER representation can be obtained from 281 converting each of the to the octet indicated by 282 the . 284 One or more attribute values assertions, separated by , for a 285 relative distinguished name. 287 Zero or more relative distinguished names, separated by , for a 288 distinguished name. 290 Implementations MUST recognize AttributeType name strings 291 (descriptors) listed in the following table, but MAY recognize other 292 name strings. 294 String X.500 AttributeType 295 ------ -------------------------------------------- 296 CN commonName (2.5.4.3) 297 L localityName (2.5.4.7) 298 ST stateOrProvinceName (2.5.4.8) 299 O organizationName (2.5.4.10) 300 OU organizationalUnitName (2.5.4.11) 301 C countryName (2.5.4.6) 302 STREET streetAddress (2.5.4.9) 303 DC domainComponent (0.9.2342.19200300.100.1.25) 304 UID userId (0.9.2342.19200300.100.1.1) 306 Implementations MAY recognize other DN string representations (such as 307 that described in RFC 1779). However, as there is no requirement that 308 alternative DN string representations to be recognized (and, if so, 309 how), implementations SHOULD only generate DN strings in accordance 310 with Section 2 of this document. 312 4. Examples 314 This notation is designed to be convenient for common forms of name. 315 This section gives a few examples of distinguished names written using 316 this notation. First is a name containing three relative 317 distinguished names (RDNs): 319 UID=jsmith,DC=example,DC=net 321 Here is an example name containing three RDNs, in which the first RDN 322 is multi-valued: 324 OU=Sales+CN=J. Smith,DC=example,DC=net 326 This example shows the method of escaping of a special characters 327 appearing in a common name: 329 CN=James \"Jim\" Smith\, III,DC=example,DC=net 331 The following shows the method for encoding a value which contains a 332 carriage return character: 334 CN=Before\0dAfter,DC=example,DC=net 336 In this RDN example, the type in the RDN is unrecognized, and the 337 value is the BER encoding of an OCTET STRING containing two octets 338 0x48 and 0x69. 340 1.3.6.1.4.1.1466.0=#04024869 342 Finally, this example shows an RDN whose commonName value consisting 343 of 5 letters: 345 Unicode Character Code UTF-8 Escaped 346 ------------------------------- ------ ------ -------- 347 LATIN CAPITAL LETTER L U+004C 0x4C L 348 LATIN SMALL LETTER U U+0075 0x75 u 349 LATIN SMALL LETTER C WITH CARON U+010D 0xC48D \C4\8D 350 LATIN SMALL LETTER I U+0069 0x69 i 351 LATIN SMALL LETTER C WITH ACUTE U+0107 0xC487 \C4\87 353 could be encoded in printable ASCII (useful for debugging purposes) 354 as: 356 CN=Lu\C4\8Di\C4\87 358 5. Security Considerations 360 The following security considerations are specific to the handling of 361 distinguished names. LDAP security considerations are discussed in 362 [Protocol] and other documents comprising the LDAP Technical 363 Specification [Roadmap]. 365 5.1. Disclosure 367 Distinguished Names typically consist of descriptive information about 368 the entries they name, which can be people, organizations, devices or 369 other real-world objects. This frequently includes some of the 370 following kinds of information: 372 - the common name of the object (i.e. a person's full name) 373 - an email or TCP/IP address 374 - its physical location (country, locality, city, street address) 375 - organizational attributes (such as department name or affiliation) 377 In some cases, such information can be considered sensitive. In many 378 countries, privacy laws exist which prohibit disclosure of certain 379 kinds of descriptive information (e.g., email addresses). Hence, 380 servers implementors are encouraged to support DIT structural rules 381 and name forms [Models] as these provide a mechanism for 382 administrators to select appropriate naming attributes for entries. 383 Administrators are encouraged to use these mechanisms, access 384 controls, and other administrative controls which may be available to 385 restrict use of attributes containing sensitive information in naming 386 of entries. Additionally, use of authentication and data security 387 services in LDAP [AuthMeth][Protocol] should be considered. 389 5.2. Use of Distinguished Names in Security Applications 391 The transformations of an AttributeValue value from its X.501 form to 392 an LDAP string representation are not always reversible back to the 393 same BER (Basic Encoding Rules) or DER (Distinguished Encoding rules) 394 form. An example of a situation which requires the DER form of a 395 distinguished name is the verification of an X.509 certificate. 397 For example, a distinguished name consisting of one RDN with one AVA, 398 in which the type is commonName and the value is of the TeletexString 399 choice with the letters 'Sam' would be represented in LDAP as the 400 string . Another distinguished name in which the value is 401 still 'Sam' but of the PrintableString choice would have the same 402 representation . 404 Applications which require the reconstruction of the DER form of the 405 value SHOULD NOT use the string representation of attribute syntaxes 406 when converting a distinguished name to the LDAP format. Instead, 407 they SHOULD use the hexadecimal form prefixed by the number sign ('#' 408 U+0023) as described in the first paragraph of Section 2.4. 410 6. Acknowledgment 412 This document is an update to RFC 2253, by Mark Wahl, Tim Howes, and 413 Steve Kille. RFC 2253 was a product of the IETF ASID Working Group. 415 This document is a product of the IETF LDAPBIS Working Group. 417 7. Document Editor's Address 419 Kurt D. Zeilenga 420 OpenLDAP Foundation 422 Email: Kurt@OpenLDAP.org 424 8. References 426 [[Note to the RFC Editor: please replace the citation tags used in 427 referencing Internet-Drafts with tags of the form RFCnnnn where 428 possible.]] 430 8.1. Normative References 432 [X.501] International Telecommunication Union - 433 Telecommunication Standardization Sector, "The Directory 434 -- Models," X.501(1993) (also ISO/IEC 9594-2:1994). 436 [X.680] International Telecommunication Union - 437 Telecommunication Standardization Sector, "Abstract 438 Syntax Notation One (ASN.1) - Specification of Basic 439 Notation", X.680(1997) (also ISO/IEC 8824-1:1998). 441 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 442 Requirement Levels", BCP 14 (also RFC 2119), March 1997. 444 [RFC2234] Crocker, D. and P. Overell, "Augmented BNF for Syntax 445 Specifications: ABNF", RFC 2234, November 1997. 447 [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 448 10646", RFC 3629 (also STD 63), November 2003. 450 [Unicode] The Unicode Consortium, "The Unicode Standard, Version 451 3.2.0" is defined by "The Unicode Standard, Version 3.0" 452 (Reading, MA, Addison-Wesley, 2000. ISBN 0-201-61633-5), 453 as amended by the "Unicode Standard Annex #27: Unicode 454 3.1" (http://www.unicode.org/reports/tr27/) and by the 455 "Unicode Standard Annex #28: Unicode 3.2" 456 (http://www.unicode.org/reports/tr28/). 458 [Models] Zeilenga, K. (editor), "LDAP: Directory Information 459 Models", draft-ietf-ldapbis-models-xx.txt, a work in 460 progress. 462 [Roadmap] Zeilenga, K. (editor), "LDAP: Technical Specification 463 Road Map", draft-ietf-ldapbis-roadmap-xx.txt, a work in 464 progress. 466 [Protocol] Sermersheim, J. (editor), "LDAP: The Protocol", 467 draft-ietf-ldapbis-protocol-xx.txt, a work in progress. 469 [Syntaxes] Legg, S. (editor), "LDAP: Syntaxes and Matching Rules", 470 draft-ietf-ldapbis-syntaxes-xx.txt, a work in progress. 472 [Schema] Dally, K. (editor), "LDAP: User Schema", 473 draft-ietf-ldapbis-user-schema-xx.txt, a work in 474 progress. 476 [REGISTRY] IANA, Object Identifier Descriptors Registry, 477 . 479 8.2. Informative References 481 [ASCII] Coded Character Set--7-bit American Standard Code for 482 Information Interchange, ANSI X3.4-1986. 484 [X.500] International Telecommunication Union - 485 Telecommunication Standardization Sector, "The Directory 486 -- Overview of concepts, models and services," 487 X.500(1993) (also ISO/IEC 9594-1:1994). 489 [X.690] International Telecommunication Union - 490 Telecommunication Standardization Sector, "Specification 491 of ASN.1 encoding rules: Basic Encoding Rules (BER), 492 Canonical Encoding Rules (CER), and Distinguished 493 Encoding Rules (DER)", X.690(1997) (also ISO/IEC 494 8825-1:1998). 496 [RFC2849] Good, G., "The LDAP Data Interchange Format (LDIF) - 497 Technical Specification", RFC 2849, June 2000. 499 [BCP64bis] Zeilenga, K., "IANA Considerations for LDAP", 500 draft-ietf-ldapbis-bcp64-xx.txt, a work in progress. 502 [CharModel] Whistler, K. and M. Davis, "Unicode Technical Report 503 #17, Character Encoding Model", UTR17, 504 , August 505 2000. 507 [Glossary] The Unicode Consortium, "Unicode Glossary", 508 . 510 Appendix A. Presentation Issues 512 This appendix is provided for informational purposes only, it is not a 513 normative part of this specification. 515 The string representation described in this document is not intended 516 to be presented to humans without translation. However, at times it 517 may be desirable to present non-translated DN strings to users. This 518 section discusses presentation issues associated with non-translated 519 DN strings. Presentation of translated DN strings issues are not 520 discussed in this appendix. Transcoding issues are also not discussed 521 in this appendix. 523 This appendix provides guidance for applications presenting DN strings 524 to users. This section is not comprehensive, it does not discuss all 525 presentation issues which implementors may face. 527 Not all user interfaces are capable of displaying the full set of 528 Unicode characters. Some Unicode characters are not displayable. 530 It is recommended that human interfaces use the optional hex pair 531 escaping mechanism (Section 2.3) to produce a string representation 532 suitable for display to the user. For example, an application can 533 generate a DN string for display which escapes all non-printable 534 characters appearing in the AttributeValue's string representation (as 535 demonstrated in the final example of Section 4). 537 When a DN string is displayed in free form text, it is often necessary 538 to distinguish the DN string from surrounding text. While this is 539 often done with white space (as demonstrated in Section 4), it is 540 noted that DN strings may end with white space. Careful readers of 541 Section 3 will note that characters '<' (U+003C) and '>' (U+003E) may 542 only appear in the DN string if escaped. These characters are 543 intended to be used in free form text to distinguish a DN string from 544 surrounding text. For example, distinguished the string 545 representation of the DN comprised of one RDN consisting of the AVA: 546 the commonName (CN) value 'Sam ' from the surrounding text. It should 547 be noted to the user that the wrapping '<' and '>' characters are not 548 part of the DN string. 550 DN strings can be quite long. It is often desirable to line-wrap 551 overly long DN strings in presentations. Line wrapping should be done 552 by inserting white space after the RDN separator character or, if 553 necessary, after the AVA separator character. It should be noted to 554 the user that the inserted white space is not part of the DN string 555 and is to be removed before use in LDAP. For example, 557 The following DN string is long: 559 CN=Kurt D. Zeilenga,OU=Engineering,L=Redwood Shores, 560 O=OpenLDAP Foundation,ST=California,C=US 561 so it has been line-wrapped for readability. The extra white 562 space is to be removed before the DN string is used in LDAP. 564 It is not advised to insert white space otherwise as it may not be 565 obvious to the user which white space is part of the DN string and 566 which white space was added for readability. 568 Another alternative is to use the LDAP Data Interchange Format (LDIF) 569 [RFC2849]. For example, 571 # This entry has a long DN... 572 dn: CN=Kurt D. Zeilenga,OU=Engineering,L=Redwood Shores, 573 O=OpenLDAP Foundation,ST=California,C=US 574 CN: Kurt D. Zeilenga 575 SN: Zeilenga 576 objectClass: person 578 Appendix B. Changes made since RFC 2253 580 This appendix is provided for informational purposes only, it is not a 581 normative part of this specification. 583 The following substantive changes were made to RFC 2253: 584 - Removed IESG Note. The IESG Note has been addressed. 585 - Replaced all references to ISO 10646-1 with [Unicode]. 586 - Clarified (in Section 1) that this document does not define a 587 canonical string representation. 588 - Clarified that Section 2 describes the RECOMMENDED encoding 589 algorithm and that alternative algorithms are allowed. Some 590 encoding options described in RFC 2253 are now treated as 591 alternative algorithms in this specification. 592 - Revised specification (in Section 2) to allow short names of any 593 registered attribute type to appear in string representations of 594 DNs instead of being restricted to a "published table". Remove 595 "as an example" language. Added statement (in Section 3) allowing 596 recognition of additional names but require recognization of those 597 names in the published table. The table is now published in 598 Section 3. 599 - Removed specification of additional requirements for LDAPv2 600 implementations which also support LDAPv3 (RFC 2253, Section 4) as 601 LDAPv2 is now Historic. 602 - Allow recognition of alternative string representations. 603 - Updated Section 2.4 to allow hex pair escaping of all characters 604 and clarified escaping for when multiple octet UTF-8 encodings are 605 present. Indicated that null (U+0000) character is to be escaped. 607 Indicated that equals sign ('=' U+003D) character may be escaped 608 as '\='. 609 - Rewrote Section 3 to use ABNF as defined in RFC 2234. 610 - Updated the Section 3 ABNF. Changes include: 611 + allow AttributeType short names of length 1 (e.g., 'L'), 612 + use more restrictive production in AttributeTypes, 613 + do not require escaping of equals sign ('=' U+003D) characters, 614 + do not require escaping of non-leading number sign ('#' U+0023) 615 characters, 616 + allow space (' ' U+0020) to escaped as '\ ', 617 + require hex escaping of null (U+0000) characters, and 618 + removed LDAPv2-only constructs. 619 - Updated Section 3 to describe how to parse elements of the 620 grammar. 621 - Rewrote examples. 622 - Added reference to documentations containing general LDAP security 623 considerations. 624 - Added discussion of presentation issues (Appendix A). 625 - Added this appendix. 627 In addition, numerous editorial changes were made. 629 Intellectual Property Rights 631 The IETF takes no position regarding the validity or scope of any 632 Intellectual Property Rights or other rights that might be claimed to 633 pertain to the implementation or use of the technology described in 634 this document or the extent to which any license under such rights 635 might or might not be available; nor does it represent that it has 636 made any independent effort to identify any such rights. Information 637 on the procedures with respect to rights in RFC documents can be found 638 in BCP 78 and BCP 79. 640 Copies of IPR disclosures made to the IETF Secretariat and any 641 assurances of licenses to be made available, or the result of an 642 attempt made to obtain a general license or permission for the use of 643 such proprietary rights by implementers or users of this specification 644 can be obtained from the IETF on-line IPR repository at 645 http://www.ietf.org/ipr. 647 The IETF invites any interested party to bring to its attention any 648 copyrights, patents or patent applications, or other proprietary 649 rights that may cover technology that may be required to implement 650 this standard. Please address the information to the IETF at 651 ietf-ipr@ietf.org. 653 Full Copyright 655 Copyright (C) The Internet Society (2005). This document is subject 656 to the rights, licenses and restrictions contained in BCP 78, and 657 except as set forth therein, the authors retain all their rights. 659 This document and the information contained herein are provided on an 660 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 661 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 662 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 663 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 664 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 665 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.