X.500 Standard status
X.509 Related activities
How to be involved
Tutorial section 1
Tutorial section 2
X.509 at work
Within many applications of directories, for example within electronic commerce and White Pages services, information about what we will call subscribers is stored in directories. Subscribers can be private persons, persons within an organization, the organizations themselves and their organizational units. Some of the information about a subscriber may have been supplied by that subscriber for a particular purpose and should not be misused for other purposes. As an example, a subscriber may not want the information stored about it to be used for unsolicited marketing.
The following gives a short overview of the X.500 data privacy protection features.
There are in principle three partners in a data protection situation as shown in the figure above:
Besides establishing protection for the data in the directory, the administrator also has the responsibility for ensuring that the stored information is correct. This is also a personal data protection issue. It may impair a person's integrity if misleading information is returned to accessing users.
There are many aspects of protection of data:
Protection of information involves:
Some of the above issues are handled in more details in the following.
The X.500 standard (X.509) is the main source for definitions of digital signatures to be used for strong authentication during logon allowing for sure identification of an accessing user. The accessing user can get the same assurance about the identity of the accessed directory server.
Every message going backed and forth can be signed. The identity of the sending entity can thereby be ensured for each separate message.
Digital signatures also allow for message integrity, that is, messages cannot be changed on route without detection.
Messages might be intercepted. It might be required to encrypt messages. The X.500 standard has no facilities for encryption of messages. However, encryption is possible using underlying services, such as Transport Layer Security (TLS).
The figure above illustrates the basic principle of access control. Each piece of information, also called a protected item, can be protected against unauthorized access. A protected item can be all the information stored about a subscriber, or it can be a particular piece of such information, for example a secret telephone number.
The access control can be related to different types of operations. As an example, a user may be allowed to be read information, but not to modify it.
At the extreme, an accessing user may not even know the existence of a certain piece of information.
A directory service will often be for one or more distinct purposes. A White Pages service is used for finding a telephone number or e-mail address, etc. Any other retrieval of information may be suspicious, and the administrator might want to prevent that. It depends on user class whether a particular search can be labeled suspicious or not.
Some searches may be used for retrieving information for bulk marketing, which might be a violation of a personal data protection act. Some searches may be attempting to retrieve information about people of a particular ethnic group. Other searches may have as purpose to retrieve (steal) bulk information for establishing own directory service or to be sold to third party. This could again be a breach of the privacy, as the information may then be used for other things than for which it is indented. A subscriber may give information to a directory service with the understanding that it is used for a well defined purpose.
It is not possible to identify all the types of data protection situations now and in the future. X.500 has therefore very versatile tools for accommodating any conceivable data protection situation.
An administrator is able to restrict the directory searches to a pre-defined set. Each such search is defined by specifying what search criteria shall be provided, which may optionally be provided, and which shall not be provided. Legal and illegal combinations of search criteria can also be specified. In this way, it is possible to allow only very targeted searches resulting in limited and appropriate results for the service offered.
For each service (search type) provided, it is possible to tailor the output for each entry returned (see service administration).
The figure above illustrates an example on how output can be adapted to specific requirements. A subscriber may have several postal addresses. In the example, the subscriber has a real address and a fake address. The subscriber wants the fake address returned, even if it is the real address that partly fulfils the search criteria. It is, of course, also possible to have no address returned, but that could make it too obvious that the user is trying to hide its postal address.
A subscriber may also have its address in several languages and may independently of the search criteria wants the address to be returned in a particular language. As an example, a Belgian subscriber may want, say, the Flemish address returned even when an accessing user supplies addressing search criteria in French.