Proposal to correct LDAP/X.500 profile attribute

["Jahan Moreh" <jmoreh@sigaba.com>]

Hello all - 
The SSTC has identified the following issue with the X.500/LDAP profile:


The X.500/LDAP attribute profile is schema-invalid right now because we tell
people to specify xsi:type="xsd:string" but then add our own X500:Encoding
attribute into the AttributeValue element. That's illegal. Any fix would be
a normative change to the profile, so either it has to be fixed or create a
new profile and deprecate the original.

The SSTC has determined that there are six options to resolve this issue.
Currently, the SSTC is leaning towards option 6. With this email message, we
are soliciting feedback/comments from the list. PLEASE POST ALL REPLIES TO
THE LIST.


Options
--------
1.	Remove the xsi:type requirement.
Forces implementations to recognize string vs base64 encoding based on
Attribute Name.

2.	Remove the x500:Encoding attribute. 
Forces implementations to trigger profile behavior based on Attribute
Namespace and Name, encoding rules are implied.

3.	Move the x500:Encoding attribute to the Attribute element.
Suggests that future encoding rules will be uniform across all values of an
attribute, but otherwise fully consistent with intent of profile.

4.	Define an extended schema type that extends string and base64Binary
with the x500:Encoding attribute and change the mandated xsi:type values to
the extended types. Least change to existing profile behavior, but requires
publishing and approving an additional schema document.

5.	Deprecate the existing profile and define a new one incorporating
whatever input can be gleaned from implementers.

6.	A  variation on 2 and 3, which is to:
a.	remove the x500:Encoding attribute and document that the LDAP
encoding uses xsi:type string and base64Binary
b.	document that other encodings should define new types



Thanks,
Jahan
------------------------
Jahan Moreh
Chief Security Architect
310.288.2141