draft-coretta-oiddir-radua-01.txt

RADUA                                                         J. Coretta
Internet-Draft                                           August 27, 2024
Intended status: Experimental
Obsoletes: X660LDAP
Expires: February 23, 2025


                   The OID Directory: The RA DUA
                 draft-coretta-oiddir-radua-01.txt

Abstract

   In service to the "OID Directory" I-D series, this I-D covers design
   strategies, requirements and procedures for the client component of
   the OID Directory Registration Authority client/server model.

   See the RADIR I-D for a complete draft series manifest.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on February 23, 2025.

Copyright Notice

   Copyright (c) 2024 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.






Coretta                Expires February 23, 2025                [Page 1]

Internet-Draft       The OID Directory: RA Client            August 2024


Table of Contents

   1. Introduction ....................................................2
      1.1. Conventions ................................................2
      1.2. Acronyms Used ..............................................2
         1.2.1. Definitions ...........................................3
      1.3. Intended Audience ..........................................3
      1.5. Parameter Abstraction ......................................3
   2. The RA DUA ......................................................3
      2.1. Defined Parameters .........................................4
      2.2. Procedures .................................................5
         2.2.1. Schema Availability ...................................5
         2.2.2. Configuration .........................................5
         2.2.3. Queries ..............................................10
         2.2.4. New Allocations ......................................17
         2.2.5. Allocation Updates ...................................22
   3. IANA Considerations ............................................23
   4. Security Considerations ........................................23
   5. References .....................................................23
      5.1. Normative References ......................................23
      5.2. Informative References ....................................24
   Author's Address ..................................................25

1.  Introduction

   The X.500 Directory User Agent represents the client component within
   the traditional client/server model that interacts with any number of
   X.500 Directory System Agents for the purposes of information access.

   Within the terms of this I-D series, the Directory User Agent serves
   as a client of OID registration and registrant content, as retrieved
   from a Registration Authority Directory Information Tree.

1.1.  Conventions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY",
   and "OPTIONAL" in this document are to be interpreted as described
   in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in
   all capitals, as shown here.

1.2.  Acronyms Used

   See Section 1.3 of the RADIR I-D for all acronym references.  Also,
   see Sections 1.7 and 1.8 of the RADIR I-D for generalized terms and
   descriptions of significance to this I-D series.







Coretta                Expires February 23, 2025                [Page 2]

Internet-Draft       The OID Directory: RA Client            August 2024


1.2.1.  Definitions

   The composite acronym "RA DUA" is hereby introduced within this I-D.
   The acronym abbreviates the aforementioned 'Registration Authority
   Directory User Agent' term, which describes the 'client' component
   implied within the client/server model relevant to this I-D series.

   The composite acronym "RA DSA" used throughout this I-D is defined in
   Section 1.2.1 of the RADSA I-D.

   The composite acronym "RA DIT" used throughout this I-D is defined in
   Section 1.2.1 of the RADIT I-D.

1.3.  Intended Audience

   This I-D is intended for application designers, X.500/LDAP architects
   and other personnel tasked with supporting or designing components
   related to the RA client/server model in service to this I-D series.

   General familiarity with the broad X.500/LDAP specification, as well
   all supporting I-Ds cited in Section 2 of the RADIR I-D is STRONGLY
   RECOMMENDED.

1.4.  Parameter Abstraction

   For simplicity in describing certain request or argument parameters
   involving either DAP or LDAP operations in this I-D, a simplified
   abstraction of ASN.1 parameters is shown to aid RA DUA adopter.

   For example, the following structure may be used to outline the
   parameters of a Read or Search Operation to be conducted as part
   of an RA DUA managed procedure.

      baseObject = dn          ; DN: see RFC4514 and X.501
      scope      = 0/1/2       ; eq. X.511 'subset'
      typesOnly  = bool or int ; see. X.511 'EntryInformationSelection'
                               ; and RFC4512 'SearchRequest'
      filter     = filter      ; see X.511 and RFC4515
      attributes = selection(s); see. X.511 'EntryInformationSelection'
                               ; and RFC4512 'AttributeSelector'

   While the abstraction has favored the use of LDAP-focused parameters
   derived from [RFC4511], adopters MAY assume similar directives are
   applicable within the context of DAP unless otherwise indicated.

2.  The RA DUA

   The RA DUA is a traditional X.500/LDAP client -- supporting most or
   all of the standard operations defined throughout clauses 9 through
   12 of ITU-T Rec. X.511, and throughout Section 4 of [RFC4511] --
   that has been OPTIMIZED for use within the terms of this I-D series.


Coretta                Expires February 23, 2025                [Page 3]

Internet-Draft       The OID Directory: RA Client            August 2024


2.1.  Defined Parameters

   The RA DUA is expected to support the directory protocols facilitated
   by the endpoint RA DSA(s), whether DAP, LDAP or both.  Support for
   connectivity via the OSI networking stack, TCP/IP or IPC socket by
   the RA DUA is determined by the operational requirements of the RA
   DSA(s) in question.

   Support for parallel X.500 protocols -- such as DOP or DSP -- is not
   specifically indicated.

   No recommendations are made regarding the "appearance" or interactive
   nature of the RA DUA (i.e.: TUI vs. GUI), nor are any recommendations
   made regarding the specific language or framework used in its design.

   No particular software license applied to the RA DUA is assumed.

   The intended application may be for any end user in general, or it
   may be administratively focused.  The RA DUA may be obtained by the
   general public, or it may be wholly proprietary and for internal use
   only.

   The capabilities of the RA DUA MAY be flexible to suit the end user,
   or it may be strictly regimented, allowing few variations of behavior
   in routine operations.

   In situations where an RA DUA is designed solely for the query and
   presentation of entries with no possibility of support for entry
   modifications, adopters MAY forego implementation of operational
   capabilities that are Write-focused in nature.

   Application designers SHOULD make use of ONLY industry-recognized
   X.500/LDAP APIs, SDKs or libraries in a manner compliant with all
   "Best Practices" suggested by both the maintainer(s) and the authors
   of the standards indicated.

   The RA DUA is not necessarily user-managed.  An RA DUA may manifest
   in "clientless" form -- for example, facilitated through a web-based
   application interface residing on the RA DSA(s) directly, thus acting
   in the context of an abstract protocol gateway.  These strategies may
   prove useful in reducing both the effort required by the end-user in
   order to access the service, as well as the costs of supporting the
   end user.

   Regardless of the design and deployment philosophies employed, the
   primary focus of the RA DUA -- with particular emphasis on any and
   all proposed optimizations -- is to reduce the tedium of access and
   administration of potentially large registration and authority bases,
   and to introduce protective controls meant to ensure integrity of all
   relevant content within the RA DIT.



Coretta                Expires February 23, 2025                [Page 4]

Internet-Draft       The OID Directory: RA Client            August 2024


2.2.  Procedures

   The RA DUA SHALL observe the procedures defined in the following
   subsections as it pertains to the query, allocation and maintenance
   of 'registration' and 'registrant' entries within an RA DSA.

2.2.1.  Schema Availability

   The RA DUA MUST obtain -- or possess complete foreknowledge of -- all
   schema definitions officially defined in Section 2 of the RASCHEMA
   I-D as well as the schema definitions serving as super types for many
   of the attribute types defined in Section 2.3 of the RASCHEMA I-D.

   In addition, the RA DUA MUST both recognize and honor any additional
   DIT content rules, DIT structure rules and/or (additional) name forms
   created by the directory architects or administrators after-the-fact.

   Obtaining the necessary schema definitions is typically conducted in
   either of the following manners, shown in order of preference.

      - Through a direct Read of the 'subschemaSubentry' of the RA DSA
      - Through manual processing of the (approved) schema file(s) based
        upon the complete contents of the RASCHEMA I-D

   When obtaining the schema through use of a Read or Search Operation,
   the schema SHOULD be refreshed at the commencement of a new RA DUA
   session.  This accounts for changes to the schema definitions that
   may have taken place during runtime.

   If the RA DSA has no apparent knowledge of the definitions to be used
   for the query and/or allocation of registrations and/or registrants
   within the RA DIT, the RA DUA MUST abandon attempts to interact with
   the RA DSA.  It is RECOMMENDED that, in this case, the RA DUA present
   the user with error information describing the problem.  This could
   suggest an RA DSA configuration problem, or possibly that the wrong
   RA DSA has been targeted by the RA DUA.

2.2.2.  Configuration

   There are two (2) modes of RA DUA configuration: automatic or manual.

   Section 2.3 of the RASCHEMA I-D introduces a small handful of types
   intended for "advertisement" by the RA DSA and for consumption by the
   RA DUA.  These attributes are as follows:

     - 'rARegistrationBase' ; ex.: ou=Registrations,o=rA
     - 'rARegistrantBase'   ; ex.: ou=Registrants,o=rA
     - 'rADirectoryModel'   ; ex.: 1.3.6.1.4.1.56521.101.3.1.3
     - 'rAServiceMail'      ; ex.: support@ra.example.com
     - 'rAServiceURI'       ; ex.: https://ra.example.com
     - 'rADITProfile'       ; ex.: dc=example,dc=com
     - 'rATTL'              ; ex.: 86400

Coretta                Expires February 23, 2025                [Page 5]

Internet-Draft       The OID Directory: RA Client            August 2024


   These attribute types are extended through use of the 'rADUAConfig'
   AUXILIARY object class.  See Section 2.3.6 of the RADSA I-D for
   usable examples involving this class.

   Auto-discovery of these attribute types will require disclosure
   privileges for the root DSE and any other entries that bear the
   'rADUAConfig' object class.

   Though the particulars of the root DSE are well outside the scope of
   this I-D series, it is typically accessed via the Read Operation
   executed upon a NULL baseObject.

   Retrieval SHOULD be made conditional using the 'rADUAConfig' object
   class as the filter AVA, and SHOULD involve attribute selection of
   the types shown below.

      filter     = objectClass=rADUAConfig   ; Require 'rADUAConfig'
      attributes = rARegistrationBase
                   rARegistrantBase
                   rADirectoryModel
                   rAServiceMail
                   rAServiceURI
                   rADITProfile
                   rATTL

   If zero (0) entries are returned as a result of the Read Operation,
   this indicates any of the following:

      - The RA DSA is not available
      - The root DSE is not accessible, possibly due to access rights
      - The root DSE is accessible, but lacks the 'rADUAConfig' class

   Given any of these conditions, automatic parameter input has failed.
   The RA DUA has no alternative other than manual parameter input.

   If one (1) entry is returned, the root DSE is accessible and has been
   configured for automatic input.  The RA DUA SHOULD choose to proceed
   with configuration using the values provided.

   See Section 2.3.6 of the RADSA I-D regarding the possible methods
   for implementation of this entry with respect to multiple RA DITs
   served by an RA DSA as opposed to a single RA DIT.

   If manual input of configuration values is required, typically this
   would require foreknowledge of the correct values, or access to an
   informational resource which makes those values available.

   In this scenario, the RA DUA MUST request the user follow a procedure
   for manual input prior to use.  Lack of proper configuration values
   precludes any RA DUA session.



Coretta                Expires February 23, 2025                [Page 6]

Internet-Draft       The OID Directory: RA Client            August 2024


2.2.2.1.  Processing

   Following value input -- whether automatic or manual -- the acquired
   values MUST be processed and validated.

   The following subsections cover each 'rADUAConfig'-extended attribute
   type in the context of runtime configuration of the RA DUA.

2.2.2.1.1.  'rADITProfile'

   The 'rADITProfile' attribute type stores any number of DN values,
   each acting as a reference to a DIT-housed 'rADUAConfig' entry
   which contains the standard configuration parameters required by
   the RA DUA.

   The 'rADITProfile' attribute type is a CRITICAL component within any
   implementation in which the following conditions apply:

      - Multiple RA DITs reside on a single RA DSA, with each RA DIT
        accessed using potentially different configuration values
      - Single RA DITs which bear usable configuration settings within
        DIT entry contexts -- as opposed to storage within the root DSE

   In either case, the root DSE SHALL NOT contain any of the attribute
   types extended by the MAY clauses of the 'rADUAConfig' AUXILIARY
   object class OTHER THAN the 'rADITProfile', 'rATTL', 'rAServiceMail',
   and 'rAServiceURI' attribute types.

   Similarly, referenced 'rADUAConfig' entries within an RA DIT SHALL
   NOT bear instances of the 'rADITProfile' attribute type.

   Instances where these attribute types are improperly combined within
   entries is considered a "Duplicate RA Context Error" and represents
   a serious operational deficiency that MUST be reported to the end
   user.  The RA DUA SHOULD fail the session or (optionally) allow for
   administrative override if corrective measures may be taken.

2.2.2.1.2.  'rARegistrationBase'

   The 'rARegistrationBase' attribute type is the most CRITICAL of all
   attribute types related to RA DUA configuration.

   The purpose of this multi-valued type is to store the DN(s) in which
   'registration' entries are stored.  This parameter is REQUIRED, as it
   prevents the need for inefficient broad-level Search Operations,
   potentially within a particularly large directory information tree.

   The RA DUA MUST handle the instance value(s) as follows:





Coretta                Expires February 23, 2025                [Page 7]

Internet-Draft       The OID Directory: RA Client            August 2024


      1.  Verify presence and accessibility of entries identified by the
          respective DN values using the Read Operation
      2.  Determine whether the given entries bear the 'registration'
          ABSTRACT object class
      2a. If the named entries DO NOT bear the 'registration' class, the
          RA DUA must interpret the entries as simple organizational
          containers housing 'registration' entries one (1) level below
      2b. If the named entries bear the 'registration' class, this is
          indicative of an official starting-point for registration
          content within the "OID Directory"
      3.  Preserve these DNs for the remainder of the session, as they
          will influence the various operations that may take place

   In the case of condition "2a", a read-only RA DUA MAY opt to fail the
   session if no 'registration' entries reside exactly one (1) level
   beneath the apparent "organizational container" entry.  The RA DUA
   MAY allow for administrative override of this behavior, thereby
   allowing retroactive registration creation within an implementation
   not yet populated.

2.2.2.1.3.  'rARegistrantBase'

   The 'rARegistrantBase' attribute type is OPTIONAL in terms of RA DUA
   configuration.  It identifies one (1) or more DNs which lead to the
   location of authority-related entries within the RA DIT.

   The RA DUA MUST handle the value(s) associated with this type as
   follows:

      1.  Verify presence and accessibility of entries identified by the
          respective DN values using the Read Operation
      2.  Compare the DN values to those within the 'rARegistrationBase'
          attribute type instance
      2a. If the DN values are identical, this implies use of combined
          authority/registration entries in a single location within the
          RA DIT -- a procedure that is generally discouraged
      2b. If the DN values are different, this implies use of dedicated
          authority entries, which bear the 'registrant' STRUCTURAL
          object class and reside in a location separate from that which
          houses entries bearing the 'registration' STRUCTURAL Object
          Class
      2c. If no DN values are specified within the 'rARegistrantBase'
          attribute type instance, the RA DUA MAY interpret this as an
          indication that no authority information is available within
          the RA DIT, and associated authority attribute types SHOULD
          NOT be requested by the RA DUA

   In the case of "2a", the RA DUA SHOULD include all attribute types
   specified within the 'currentAuthorityContext', 'sponsorContext' and
   'firstAuthorityContext' 'MAY' clauses for subsequent Read Operations
   of 'registration' entries.


Coretta                Expires February 23, 2025                [Page 8]

Internet-Draft       The OID Directory: RA Client            August 2024


   In the case of "2b", the RA DUA SHOULD include all attribute types
   specified within 'currentAuthorityContext', 'sponsorContext' and
   'firstAuthorityContext' 'MAY' clauses for subsequent Read Operations
   of 'registrant' entries.

   Dedicated authority entries bearing the 'registrant' STRUCTURAL
   object class should be located exactly one (1) level below each
   specified 'rARegistrantBase' DN value within the RA DIT.

   Depending on the nature of implementation of this I-D series, it may
   or may not be advisable to populate the 'rARegistrantBase' attribute
   type for consumption by all clients indiscriminately.  See Section
   5.2 of the RADIT I-D for security considerations on this topic.

2.2.2.1.4.  'rADirectoryModel'

   The 'rADirectoryModel' type describes the abstract structure of the
   RA DIT in terms of 'registration' layout and probable DN syntax.  The
   employed model shall have a profound influence on the manner in which
   the RA DUA shall interact with the RA DIT.

   A specified directory model is REQUIRED for proper functioning of the
   RA DUA, whether directly or indirectly.  The decided model specifier,
   which MUST be a numeric OID, is declared using the 'rADirectoryModel'
   attribute type.

   Sections 3.1.2 and 3.1.3 of the RADIT I-D define two (2) official
   directory models and DN syntax schemes identified by the following
   numeric OIDs:

      - 'twoDimensional' (1.3.6.1.4.1.56521.101.3.1.2)
      - 'threeDimensional' (1.3.6.1.4.1.56521.101.3.1.3)

   In virtually every case, the 'threeDimensional' model is STRONGLY
   RECOMMENDED for implementation and use, however RA DUAs SHOULD be
   prepared to incorporate other models that could be defined in any
   future extensions to this I-D series.

   The RA DUA MUST support use of the 'threeDimensional' model without
   exception and to the letter of every recommendation set forth within
   this I-D series.

   As stated clearly and in no uncertain terms within the originating
   document, the 'twoDimensional' model is STRONGLY DISCOURAGED aside
   from use in non-standard or particularly unusual scenarios.

   The RA DUA MAY support use of the 'twoDimensional' model at the
   discretion of the application designer.  Support for this model
   is purely OPTIONAL.




Coretta                Expires February 23, 2025                [Page 9]

Internet-Draft       The OID Directory: RA Client            August 2024


   The RA DUA MUST handle the value of this instance as follows:

      1.  Determine whether the 'rADirectoryModel' attribute type has
          been set with an explicit numeric OID
      1a. If NO numeric OID has been specified, use of the RECOMMENDED
          'threeDimensional' model is to be enforced by DEFAULT
      1b. If a numeric OID has been specified, identify the value as a
          known and supported model OID and adjust RA DUA behavior in
          accordance with prescribed procedures of the RADIT I-D
      1c. If a numeric OID has been specified and is not immediately
          identifiable within the terms of this I-D series -- such as
          a future extension of this standard -- the RA DUA MAY defer
          to the specifics of the recommendation or I-D from which the
          OID originates OR the RA DUA MAY choose to fail the session
      2.  Preserve the value for the remainder of the session, as it
          will influence the specifics of operations that may occur

   In the case of condition "1c", if the RA DUA chooses to fail the
   session, the RA DUA SHOULD present the user with an error message
   indicating the encounter with an unknown or as-of-yet unsupported
   directory model identifier.

2.2.2.1.5.  Additional Parameters

   The 'rAServiceMail' attribute type, when defined, contains any number
   of email addresses meant for support or request purposes.  Use of
   this type in the RA DIT is OPTIONAL, but SHOULD be recognized by the
   RA DUA when present.

   The 'rAServiceURI' attribute type, when defined, contains any number
   of URI values related to the service, such as terms of use, support
   information, documentation and other resources.  Use of this type in
   the RA DIT is OPTIONAL, but SHOULD be recognized by the RA DUA when
   present.

   The 'rATTL' attribute type, when defined for an entry bearing the
   'rADUAConfig' class, imposes a global entry caching TTL value meant
   for consumption and observance by qualified RA DUA implementations.
   See Section 2.2.3.4 for details and semantics regarding assignment
   and precedence strategies for a TTL.

2.2.3.  Queries

   This subsection covers strictly read-related operations, such as the
   location and presentation of a given 'registration' entry.

2.2.3.1.  Retrieving Entries

   The RECOMMENDED procedure for retrieving an entry -- in any directory
   model defined in this I-D series -- is a Read Operation of the entry
   by way of its DN.  This will return either one (1) entry, or none.


Coretta                Expires February 23, 2025               [Page 10]

Internet-Draft       The OID Directory: RA Client            August 2024


   Foreknowledge of the DN is required for a Read Operation attempt of
   this fashion.

   If the entry is a 'registration', the DN may be resolved by way of
   the associated numeric OID using the appropriate process defined in
   Section 3.1.

   'registration' entries may reference other 'registration' entries
   using the spatial attribute types defined in Section 2.3 of the
   RASCHEMA I-D and discussed further in Section 2.2.3.3.

   'registrant' entries, however, aren't resolvable in any standard
   manner.  These are dedicated authority entries that are normally
   accessed through references held by any associated 'registration'
   entries.

      - 'firstAuthority' and/or 'c-firstAuthority'
      - 'currentAuthority' and/or 'c-currentAuthority'
      - 'sponsor' and/or 'c-sponsor'

   However, in cases where direct referencing of DNs within the context
   of a Read Operation is not practical, possibly due to any of the
   following ...

      - Lack of assigned spatial reference types
      - An unsupported or incoherent DN syntax is indicated
      - Administrative operations are underway

   ... use of List or subtree Search operations may be indicated.

   While this method of searching is not generally recommended within
   the spirit of this I-D series, the RA DUA MAY allow this capability
   where appropriate.

   If the RA DUA encounters difficulty relating to a particularly large
   number of entries retrieved through a Search Operation, support for
   Simple Paged Results Manipulation by the RA DUA may be indicated if
   supported by the RA DSA.  For details, see clause 7.9 of ITU-T Rec.
   [X.511] and the entirety of [RFC2696].

2.2.3.2.  Reading Entries

   The following subsections outline the procedures involved in the
   presentation and analysis of a 'registration' or 'registrant' entry
   successfully retrieved by way of the Read or Search Operation.

2.2.3.2.1.  Entry 'objectClass' Analysis

   Given a successfully conducted Read or Search Operation, and assuming
   a single entry -- whether 'registration' or 'registrant' -- has been
   returned, the RA DUA SHOULD first read the 'objectClass' values and
   make note of all that originate in Section 2.5 of the RASCHEMA I-D.

Coretta                Expires February 23, 2025               [Page 11]

Internet-Draft       The OID Directory: RA Client            August 2024


   The 'registration' ABSTRACT object class is a required class for any
   OID allocation.  This class MUST only appear on entries which bear
   the 'rootArc' or 'arc' STRUCTURAL class.  It is a sub type of the
   'top' ABSTRACT class, defined in Section 2.4.1 of [RFC4512] and in
   clause 13.3.3 of ITU-T Rec. [X.501].

   The 'registrant' STRUCTURAL object class is only used for dedicated
   registrants, which are associated through DN references held by
   associated 'registration' entries, if any.  Appearance upon any
   other form of entry is a suboptimal or illogical state.

   Presence of the 'x660Context', 'x680Context' and/or 'x690Context'
   AUXILIARY classes for a 'registration' entry is permitted.  These
   classes extend multiple attribute types which conceptually derive
   from ITU-T Recs. [X.660], [X.680] and [X.690].

   Presence of the 'x667Context' AUXILIARY class for a 'registration'
   entry is only expected in cases where an OID allocation involves a
   'registeredUUID' attribute type instance and where the assigned 'n'
   value is the equivalent unsigned 128-bit integer.  See ITU-T Rec.
   [X.667] for information on this topic.

   Presence of the 'iTUTRegistration' AUXILIARY class is only permitted
   for allocations bearing the 'arc' STRUCTURAL class and describe an
   OID beginning with zero (0).  It extends no attribute types.

   Presence of the 'iSORegistration' AUXILIARY class is only permitted
   for allocations bearing the 'arc' STRUCTURAL class and describe an
   OID beginning with one (1)  It extends no attribute types.

   Presence of the 'jointISOITUTRegistration' AUXILIARY class is only
   permitted for allocations bearing the 'arc' STRUCTURAL class and
   describe an OID beginning with two (2).  It extends the 'longArc'
   attribute type.

   Entries SHALL NOT bear more than one (1) of the 'iTUTRegistration',
   'iSORegistration' or 'jointISOITUTRegistration' classes.

   Presence of the 'spatialContext' AUXILIARY class is only permitted
   for 'registration' entries.  It extends seven (7) spatial reference
   attribute types used to describe arrangement of allocations within
   the OID tree.  Additional collective incarnations of some of these
   attribute types may be indicated.

   Presence of the 'registrationSupplement' AUXILIARY class is only
   permitted for 'registration' entries.  It extends miscellaneous
   attribute types which extend from no official standards meant for
   ease-of-use only.

   Collective Attributes are described in [RFC3671].



Coretta                Expires February 23, 2025               [Page 12]

Internet-Draft       The OID Directory: RA Client            August 2024


   Presence of the 'firstAuthorityContext', 'currentAuthorityContext',
   and 'sponsorContext' AUXILIARY classes is permitted for 'registrant'
   entries and 'registration' entries alike, and would depend upon the
   'registrant' model employed within the RA DIT.  Each of these classes
   extends several identity and contact related attribute types for use
   within the context of sponsorship, current authorities and previous
   authorities.

   Presence of the 'rADUAConfig' AUXILIARY class SHOULD NOT be permitted
   for 'registration' or 'registrant' entries and indicates a suboptimal
   or illogical state.

   Assuming no violations were perceived as outlined above, the state of
   the entry's object class stack is apparently copacetic.

2.2.3.2.2.  Attribute Types Used

   At a minimum, the RA DUA SHOULD only expect attribute types defined
   within Section 2.3 of the RASCHEMA I-D, and/or their respective
   super types defined in [RFC4519], [RFC4524] and [RFC2079], to be
   assigned to entries within the terms of this I-D series.

   See Section 3.2 of the RADIT I-D for numerous examples regarding
   various attribute type use cases and requirements.

   The RA DIT MAY use other attribute type and object class definitions
   unrelated to this I-D series, for supplemental reasons, however their
   incorporation would be wholly proprietary and would have no official
   standing per this I-D series.

2.2.3.2.3.  Value Syntax

   Each attribute type, whether directly or indirectly, is governed via
   a syntax definition in terms of the allowed value(s) to be set for
   an entry.

   As mentioned in Section 2.1 of the RASCHEMA I-D, standard syntaxes
   do not necessarily align perfectly with the syntactical requirements
   of the standards upon which this I-D series is based -- namely ITU-T
   Recs. [X.660] and [X.680].

   To ease the difficulty in implementing an RA DUA which honors the
   syntactical characteristics of the underlying subject matter -- as
   opposed to only recognizing the syntax alone -- Section 2.3 of the
   RASCHEMA I-D includes ABNF productions for every attribute type
   defined, whether by reference or in literal form, intended for use by
   those tasked with implementation of this I-D series in some manner.

   The RA DUA MUST recognize these ABNF productions when reading values
   that were retrieved through use of the Read or Search Operation.



Coretta                Expires February 23, 2025               [Page 13]

Internet-Draft       The OID Directory: RA Client            August 2024


   The RA DUA MAY decide how to handle the case of reading a previously
   set attribute value of invalid or non-compliant form.  The RA DUA may
   warn the end-user of a value that is not well-formed, or it may opt
   to omit the value from visibility altogether.  If the RA DUA is of an
   administrative focus, the opportunity for corrective measures MAY be
   facilitated.

2.2.3.3.  Navigating Registration Entries

   Some of the more complete RA services, whether public or private,
   may offer a simple interface to facilitate intuitive incremental
   movement among registrations that are associated horizontally or
   vertically in terms of "up", "down", "left", "right", "min", "max"
   and "top".

   Depending on the needs of the intended audience, as well as the
   manner in which this specification is adopted, this can be an
   exceptionally difficult feature to implement for the RA DUA, but
   is one that can dramatically improve the user experience.

   The RA DUA SHOULD NOT assume positive support for this practice in
   all implementations of this I-D series.

2.2.3.3.1. Superior Vertical References

   During the Read or Search Operation executed in order to obtain a
   'registration' entry, the RA DUA MAY request any of the following
   attribute types:

      - 'supArc'
      - 'c-supArc'
      - 'topArc'
      - 'c-topArc'

   The 'supArc' and 'c-supArc' attribute types describe the immediate
   superior (parent) registration in terms of ancestral lineage.  Only
   one (1) of each of these attribute types should be present for any
   given 'registration' entry, never both.

   The 'topArc' and 'c-topArc' attribute types describe the absolute
   root registration in terms of ancestral lineage.  Only one (1) of
   each of these attribute types should be present for any given
   'registration' entry -- never both.

   Use of Collective attribute types -- namely those prefaced using the
   requisite 'c-' flag -- may not be practical in the two dimensional
   model and thus need not be requested.

   At no point are the above attribute types to be requested for entries
   that bear the 'rootArc' STRUCTURAL object class.  Root registrations
   do not have superiors.


Coretta                Expires February 23, 2025               [Page 14]

Internet-Draft       The OID Directory: RA Client            August 2024


2.2.3.3.2. Subordinate Vertical References

   Subordinate vertical references tend to be the most challenging among
   all the various attribute types related to spatial navigation within
   the terms of this I-D series.

   The RA DUA MAY request the 'subArc' attribute type as part of the
   Read or Search Operation used for retrieval of a 'registration'
   entry from the RA DIT.

   At no point should an entry bear the 'subArc' attribute type if it
   bears an 'isLeafNode' instance with a value of TRUE.  This indicates
   an illogical RA DIT condition.

   When defined, the 'subArc' attribute type instance SHOULD reflect
   a complete manifest of all references for 'registration' entries
   that are direct subordinates of the bearer.  This instance SHOULD
   be requested in baseObject-scoped context, and is the only multi
   valued spatial attribute type defined within this I-D series.

   The RA DUA SHOULD prefer 'subArc' enumeration to a List Operation
   beneath a 'registration'.  This method of searching is a potentially
   costly request in the face of particularly large sets of subordinate
   'registration' entries present within the RA DIT.

   The RA DUA SHOULD be prepared to manually sort the set of 'subArc'
   DN references based on its OID or NumberForm value, however this
   responsibility may be handled by the RA DSA.

2.2.3.3.3. Horizontal References

   Horizontal (sibling) references describe both adjacent as well as
   minimum and maximum 'registration' contexts.

   During a Search Operation intended to obtain a 'registration' entry,
   the RA DUA SHOULD request the following attribute types:

      - 'leftArc'
      - 'rightArc'
      - 'minArc'
      - 'c-minArc'
      - 'maxArc'
      - 'c-maxArc'

   The 'leftArc' attribute type describes the sibling 'registration'
   entry that is nearest but less than that of the bearer in terms of
   Number Form ('n') numerical magnitude.

   The 'rightArc' attribute type describes the sibling 'registration'
   entry that is nearest but greater than that of the bearer in terms
   of Number Form ('n') numerical magnitude.


Coretta                Expires February 23, 2025               [Page 15]

Internet-Draft       The OID Directory: RA Client            August 2024


   The 'minArc' and 'c-minArc' attribute types are used to reference the
   'registration' entry bearing the lowest magnitude Number Form ('n')
   value within a set of siblings.  Only one (1) of these attribute
   types should be present for any given 'registration' entry, never
   both.

   The 'maxArc' and 'c-maxArc' attribute types are used to reference the
   'registration' entry bearing the highest magnitude Number Form ('n')
   value within a set of siblings.  Only one (1) of these attribute
   types should be present for any given 'registration' entry, never
   both.

2.2.3.4.  Client Entry Caching

   For particularly large or busy implementations of the I-D series, the
   RA DUA MAY support basic client-driven entry caching of any retrieved
   'registration' and 'registrant' entries by way of either the 'rATTL'
   or 'c-rATTL' integer attribute types, as defined within Section 2.3
   of the RASCHEMA I-D.

   A valid use case for caching involves serving IANA PEN registrations
   [PRIVATE], which number in the tens of thousands.  Caching may yield
   tremendous savings in terms of resource utilization associated with
   particularly large numbers of static entries being retrieved in a
   repeating manner.

   This I-D makes no assumptions regarding the design or implementation
   of the underlying caching subsystem.  The only abstract requirement
   relates to the ability to cache a single directory entry for a span
   of time equivalent to the effective TTL value in minutes.

   The RA DUA SHOULD allow for the user to determine whether an entry
   being presented is derived from a cache.

2.2.3.4.1.  Semantics

   An 'rATTL' may be found in the following contexts wherever the
   'rADUAConfig', 'registration' or 'registrant' classes are present.

      - A root DSE
      - An RA DIT context
      - An individual leaf-node entry

   The collective counterpart attribute type, 'c-rATTL', may be found on
   all of the above EXCEPT the root DSE.

   Presence of an instance of either of these attribute types for any
   entry serves as an indicator to the RA DUA that a caching directive
   may be in effect depending on the value.

   The significance of value magnitude -- whether collective or not --
   is as follows:

Coretta                Expires February 23, 2025               [Page 16]

Internet-Draft       The OID Directory: RA Client            August 2024


      - A value less than or equal to "0" is equivalent to a TTL being
        undefined: NO cached lifespan is specified
      - A value greater than or equal to "1" indicates a TTL lifespan
        expressed by that value (e.g.: "1440" for a 24-hour TTL)

   Countdown of a timespan commences at the same time the indicated
   entry is retrieved and cached by the RA DUA according to the value.

   Presence of the 'rATTL' attribute type within the RA DSA's root DSE
   indicates use of global caching, a condition in which all entries
   are cached for a fixed amount of time unless they are subjected to
   an individual override by the 'rATTL' or 'c-rATTL' types.

   Presence of the 'rATTL' attribute type within separate 'rADUAConfig'
   class profile instances indicates context-specific entry caching (for
   example, a single RA DIT in the midst of others served by a common RA
   DSA).

   The 'c-rATTL' attribute type is only present for entries when served
   by an RA DSA which supports collective attributes.  No instance of
   the 'c-rATTL' attribute type shall be present within the root DSE.

   In the face of multiple overlapping TTLs implied for an entry, these
   rules of precedence can guide the RA DUA in determining the correct
   TTL:

      - DSE-based TTL overrides nothing (lowest common denominator)
      - Contextual TTL overrides DSE TTL
      - Collective TTL overrides a subtree of a contextual TTL
      - Non-collective leaf entry TTL overrides all of the above

   If deemed appropriate within the spirit of an implementation, or if
   potentially necessary in an administrative context, the RA DUA MAY
   allow for arbitrary cache bypass, whereas the cached entry may be
   refreshed ahead of its scheduled TTL expiry.

2.2.4.  New Allocations

   The following subsections involve considerations and procedures which
   are related to the incorporation of new registration allocations into
   an RA DIT.

   Each "OID Directory" implementation will almost certainly adopt only
   certain attribute types for use in entries.

   Such restrictions may be exercised based on use of only select object
   classes within an entry, through observance of any DIT content rules
   that may be in effect, or through a form of access control.

   The RA DUA is expected to honor any policies imposed by the service
   that would influence or mandate the composition of new entries in a
   particular way.

Coretta                Expires February 23, 2025               [Page 17]

Internet-Draft       The OID Directory: RA Client            August 2024


2.2.4.1.  Verification

   Certain pre-allocation checks MUST be conducted prior to any attempt
   at creating an allocation.  The following subsections describe these
   procedures.  Please note that only the three dimensional directory
   model is covered due to its STRONGLY RECOMMENDED status over the
   alternative model.

   While the RA DSA may implement 'registration' integrity controls of
   its own, the RA DUA SHALL NOT rely on such elements to mitigate bogus
   or ill-advised requests alone.  The RA DUA is REQUIRED to submit only
   well-formed and sanctioned requests, and SHALL NOT be designed under
   the unfounded assumption that the RA DSA will conduct post-operative
   or custodial amendments of any kind.

   Adopters of the RA DUA construct should remember that the context of
   an allocation request can greatly influence the perception of the
   various outcomes discussed in the following subsections.

   For example, consider the entry of retroactive 'registration' entries
   -- obsolete and wholly invalid by today's standards -- by an end user
   simply to build a thorough and well-formed implementation of the OID
   tree, versus a new registration being created today, and governed by
   today's standards.  These two scenarios have radically different
   implications, yet the effective action is unchanged.

   Depending on the nature and intended audience of an RA DUA solution,
   this distinction may be particularly important.  It may prove useful
   to allow for effective "overrides" for authorized identities or modes
   of operating, for example, to allow the creation of registrations
   beneath an obsolete superior context.

   It is important to note that the procedures defined in the following
   subsections do not account for any internal governance or approval
   process related to allocation request handling.

2.2.4.1.1.  Ancestral Viability

   Given an intended registration DN of:

      n=9999,n=4,n=1,n=6,n=3,n=1,ou=Registrations,o=rA

   The RA DUA MUST first verify the presence of the intended superior
   registration DN.

      n=4,n=1,n=6,n=3,n=1,ou=Registrations,o=rA

   This search can be conducted using the following SearchRequest
   parameters:




Coretta                Expires February 23, 2025               [Page 18]

Internet-Draft       The OID Directory: RA Client            August 2024


      baseObject = n=4,n=1,n=6,n=3,n=1,ou=Registrations,o=rA
      scope      = 0
      filter     = objectClass=registration
      attributes = registrationStatus
                   registrationClassification
                   isLeafNode
                   isFrozen
                   objectClass

   If exactly one (1) entry is returned with no apparent error, the
   superior entry is confirmed to be present.  In this case, the RA DUA
   should read the values of the requested attribute types.

   If the 'registrationStatus' and/or 'registrationClassification' value
   is OBSOLETE, DEALLOCATED or some other (known) declaration of a state
   of non-operation, this MUST fail the allocation request unless the
   attempt was made in (approved) retroactive context.  The case folding
   scheme in effect for these values is not significant.

   Similarly, if the 'isFrozen' and/or 'isLeafNode' attribute types bear
   a Boolean value of TRUE, the allocation request MUST fail unless the
   attempt was made in (approved) retroactive context.

   The error 'noSuchObject' indicates the requested entry was not found.
   When using LDAP, this bears the resultCode value of "32".

   'noSuchObject' SHOULD be investigated by the RA DUA by way of an
   ancestral traversal -- a process in which each successive ancestor
   entry is subjected to a similar presence check as described above
   in incremental fashion.  Ordering of ancestral traversal checks is
   not significant, as either ordering scheme will ultimately lead to
   the same conclusion.

   Each ancestor entry is referenced using a DN value which lacks the
   leaf-node RDN component of the previously-checked descendant entry.

   For instance, continuing with the above superior DN's lineage:

      - n=1,n=6,n=3,n=1,ou=Registrations,o=rA
      - n=6,n=3,n=1,ou=Registrations,o=rA
      - n=3,n=1,ou=Registrations,o=rA
      - n=1,ou=Registrations,o=rA

   Following this procedure allows the RA DUA or the end user to locate
   where the apparent ancestral discontinuity begins within the RA DIT.

   The terminus of a registration lineage -- such as the one described
   above -- is determined based on the presence of the STRUCTURAL object
   class 'rootArc' for an entry (e.g.: "n=1,ou=Registrations,o=rA").




Coretta                Expires February 23, 2025               [Page 19]

Internet-Draft       The OID Directory: RA Client            August 2024


2.2.4.1.2.  Number Form Uniqueness

   Within a set of sibling 'registration' entries, it is CRITICAL that
   any new allocation involve use of a horizontally-unique 'n' value.

   Using one of the RECOMMENDED DN syntaxes described in Section 3.1,
   the proper procedure simply involves a Read-based presence check of
   the intended 'registration' DN.

   For instance, if the desired allocation shall bear the DN:

      n=9999,n=3,n=1,ou=Registrations,o=rA

   A preemptive Read Operation MUST be executed in the following manner:

      baseObject = n=9999,n=3,n=1,ou=Registrations,o=rA
      scope      = 0
      typesOnly  = TRUE
      attributes = objectClass

   Use of the 'typesOnly' option is merely for bandwidth efficiency,
   as the goal of this request is to see if ANY entry exists by this
   DN -- not to examine any particular attribute values.

   If zero (0) entries are returned alongside a 'noSuchObject' error,
   the Number Form is unique.

   Any non-zero number of entries that are returned with no apparent
   error indicates the Number Form is NOT unique and the attempt at
   allocation MUST fail.  The RA DUA SHOULD inform the user of this
   outcome.

   There are no practical override use cases for this condition.

   If using a 'registration' DN syntax other than those RECOMMENDED in
   Section 3.1, use of a filter within a List Operation executed upon
   the intended parent registration may be required at the risk of
   performance penalties proportional to the number of entries present:

      baseObject: = n=3,n=1,ou=Registrations,o=rA
      scope       = 1
      typesOnly   = TRUE
      filter      = n=9999
      attributes  = objectClass

   The same entry count semantics as described above will apply.

   See Section 2.2.4.1.3 for considerations regarding the presence
   of ranges of allocations within the set of sibling registrations.




Coretta                Expires February 23, 2025               [Page 20]

Internet-Draft       The OID Directory: RA Client            August 2024


2.2.4.1.3.  Ranged Allocations

   During the creation of new registrations, RA DUAs MUST preemptively
   search for any range-based registrations present that might overlap
   with the intended 'n' value of the entry.  This requirement MAY be
   relaxed if it is known that ranged allocations are not supported in
   the target location, but this is generally discouraged.

   For example, to determine if a ranged allocation resides within the
   '1.3' OID registration that would overlap with a desired Number Form,
   the RA DUA MUST perform a List Operation of the following form:

      baseObject = n=3,n=1,ou=Registrations,o=rA
      scope      = 1
      typesOnly  = TRUE
      filter     =
       (&(n<=X)(|(registrationRange>=X)(registrationRange=-1)))
      attributes = registrationRange

   Note that 'filter' contains a leading line-break and indent due to
   the maximum I-D line length being exceeded by the size of the value.

   Given these parameters, where the filter AVA "X" represents the 'n'
   (Number Form) chosen -- for example "100" -- the search will return
   zero (0) entries if no range violation is detected involving value
   "X".  This behavior is unchanged in the midst of multiple finite
   and/or infinite ranges, regardless of contiguity.

   Please note that integer "X" MUST be chosen or selected by some means
   by the RA DUA or its end user for this procedure to work as intended.
   "X" SHALL NOT be negative.

   An infinite range SHALL ONLY appear once in any sibling context, and
   the associated entry DN SHALL ALWAYS represent the true 'maxArc' or
   'c-maxArc' value in the same sibling context, if specified.

   If ANY number of entries are returned as a result of this allocation
   check, the registration MUST fail.  The RA DUA MAY opt to make other
   attempts using another Number Form in place of "X", or it may simply
   inform the user of an overlapping allocation attempt.

   This procedure assumes the preemptive Number Form Uniqueness check
   procedures described in Section 2.2.4.1.2 have been conducted with
   a favorable outcome as described.

   However, in certain use cases, it may be advantageous to replace the
   above 'filter' with:

      (|(&(n<=X)(|(registrationRange>=X)(registrationRange=-1)))(n=X))

   Doing so accomplishes the goals of this section and Section 2.2.4.1.2
   in a single action.

Coretta                Expires February 23, 2025               [Page 21]

Internet-Draft       The OID Directory: RA Client            August 2024


   The RA DUA MAY opt to impose a 'typesOnly' value of FALSE to allow
   the user to manually observe the range structure(s) present within
   a set of siblings directly (by way of the 'registrationRange' type)
   if and when an overlapping allocation attempt was made.  This allows
   the user to select an appropriate Number Form value in an informed
   manner -- as opposed to trial-and-error methodology, for instance.

2.2.4.2.  Submission

   Assuming the verification procedures covered in Section 2.2.4.1 were
   of a favorable outcome, the submission of the allocation details may
   be indicated.

   This I-D assumes that any requisite review or approval processes that
   are practiced by those who serve in authority over the RA have been
   performed.

   Creation of a directory entry, based upon decided allocation details,
   is the last step necessary for a proper submission.  Please see the
   RADIT I-D for details and many examples regarding entry composition.

   The Add Operation is the intended means for submission of the entry.

   If the particular implementation of this I-D series does not support
   this operation in this manner, the RA DSA may be expected to support
   another means out of scope for this I-D series.

   Upon submission of the composed entry to the receiving RA DSA, the
   RA DUA SHOULD retrieve the newly added entry to verify attribute type
   and object class content is present as intended.  This should precede
   any declarations of successful submission to the end user.

2.2.5.  Allocation Updates

   Updates to 'registration' entries, as mentioned previously, is often
   ill-advised outside of extraordinary circumstances, likely involving
   corrections to entries deemed to be of poor form, or created in bad
   faith.  A general rule-of-thumb suggests that any 'registration' is
   typically static.

   Updates to 'registrant' entries or attributes, however, is far more
   likely if contact information, which changes over time, is present.

   Nevertheless, alterations to the content of entries in either context
   is facilitated through use of the Modify Operation for any of the
   following desired actions:

      - Addition of object class values
      - Addition of attribute type instances or values
      - Removal of undesirable or invalid attribute instances or values
      - Correction of bogus attribute values
      - Relegation of a 'currentAuthority' to a 'firstAuthority'

Coretta                Expires February 23, 2025               [Page 22]

Internet-Draft       The OID Directory: RA Client            August 2024


   In an even more exceptional (and unlikely) scenario, the correction
   of an invalid Number Form or OID RDN value is facilitated through
   use of the Modify DN Operation, which is intended for the "renaming"
   and/or "relocation" of a specified entry.  This is almost certainly
   an administratively focused use case.

   The semantics for either of these operations are well outside the
   scope of this I-D series.

3.  IANA Considerations

   There are no requests to IANA in this document at this time.

4.  Security Considerations

   The RA DUA MUST possess the capability to honor any authentication
   and/or confidentiality policies imposed by the RA DSA.  This would
   imply Bind and Unbind capabilities, at the least.

   This may involve strategies related to TLS, 2FA, OTP and others.  TLS
   support may include facilities for mutual authentication.  Support of
   password-related operations -- such as those defined in [RFC3062] --
   may be indicated.

   Certain directory implementations may require these capabilities be
   exercised prior to interaction with ANY facet of the directory -- no
   matter how innocuous a request may be perceived (for instance, basic
   query of the root DSE only).  This is an especially common practice
   in high-security X.500/LDAP implementations.  Adopters are advised to
   be prepared for such conditions.

5.  References

5.1.  Normative References

   RADIR      Coretta, J., "The OID Directory: A Technical Roadmap",
              draft-coretta-oiddir-roadmap, February 2024.

   RADIT      Coretta, J., "The OID Directory: The RA DIT",
              draft-coretta-oiddir-radit, February 2024.

   RADSA      Coretta, J., "The OID Directory: The RA DSA",
              draft-coretta-oiddir-radsa, February 2024.

   RASCHEMA   Coretta, J., "The OID Directory: The RA Schema",
              draft-coretta-oiddir-schema, February 2024.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.




Coretta                Expires February 23, 2025               [Page 23]

Internet-Draft       The OID Directory: RA Client            August 2024


   [RFC2696]  C. Weider, A. Herron, A. Anantha, Microsoft, T. Howes
              and Netscape, "LDAP Control Extension for Simple Paged
              Results Manipulation", RFC 2696, September 1999.

   [RFC3671]  Zeilenga, K., "Collective Attributes in the Lightweight
              Directory Access Protocol (LDAP)", RFC 3671, December
              2003.

   [RFC4511]  J. Sermersheim, Ed. "Lightweight Directory Access Protocol
              (LDAP): The Protocol", RFC 4511, June 2006.

   [RFC4512]  Zeilenga, K., "Lightweight Directory Access Protocol
              (LDAP): Directory Information Models", RFC 4512, June
              2006.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", RFC 8174, May 2017.

   [X.501]    International Telecommunication Union - Telecommunication
              Standardization Sector, "The Directory: Models", ITU-T
              X.501, October 2019.

   [X.511]    International Telecommunication Union - Telecommunication
              Standardization Sector, "The Directory: Abstract service
              definition", ITU-T X.511, October 2019.

5.2.  Informative References

   [PRIVATE]  IANA, "Private Enterprise Numbers",
              https://www.iana.org/assignments/enterprise-numbers.

   [RFC2079]  Smith, M., "Definition of an X.500 Attribute Type and an
              Object Class to Hold Uniform Resource Identifiers (URIs)",
              RFC 2079, January 1997.

   [RFC3062]  Zeilenga, K., "LDAP Password Modify Extended Operation",
              RFC 3062, February 2001.

   [RFC4519]  Sciberras, Ed., A., "Lightweight Directory Access Protocol
              (LDAP): Schema for User Applications", RFC 4519, June
              2006.

   [RFC4524]  Zeilenga, K., "Lightweight Directory Access Protocol
              (LDAP): COSINE LDAP/X.500 Schema", RFC 4524, June 2006

   [X.500]    International Telecommunication Union - Telecommunication
              Standardization Sector, "The Directory: Overview of
              concepts, models and services", ITU-T X.500, October 2019.





Coretta                Expires February 23, 2025               [Page 24]

Internet-Draft       The OID Directory: RA Client            August 2024


   [X.660]    International Telecommunication Union - Telecommunication
              Standardization Sector, "General procedures and top arcs
              of the international object identifier tree", ITU-T X.660,
              July 2011.

   [X.667]    International Telecommunication Union - Telecommunication 
              Standardization Sector, "Information technology -         
              Procedures for the operation of object identifier         
              registration authorities: Generation of universally unique
              identifiers and their use in object identifiers", ITU-T   
              X.667, October 2012.

   [X.680]    International Telecommunication Union - Telecommunication
              Standardization Sector, "Abstract Syntax Notation One
              (ASN.1): Specification of basic notation", ITU-T X.680,
              July 2002.

   [X.690]    International Telecommunication Union - Telecommunication 
              Standardization Sector, "ASN.1 encoding rules:            
              Specification of Basic Encoding Rules (BER), Canonical    
              Encoding Rules (CER) and Distinguished Encoding Rules     
              (DER)", ITU-T X.690, February 2021.

Author's Address

   Jesse Coretta
   California, United States

   Email: jesse.coretta@icloud.com

























Coretta                Expires February 23, 2025               [Page 25]