X500Standard.com
The website of the X.500 Directory standard
X.500 Standard status
(Implementors' Guide)
- Introduction
- Standardization Procedures
- X.500 Document Structure
- X.500 docs not freely available
- X.500 docs freely available
- Current ASN.1 modules
- X.500 extensions in progress
- Submit a Defect Report
- Defect Reports
- Draft Tech Corrigenda
- Upcoming Meetings
- Meeting Reports
- A little history
How to be involved
More Information
Tutorial section 1
X.500 General
- The X.500 Directory
- Relationship with LDAP
- Information structure & names
- X.500 protocols
- X.500 operations
- Navigation
- Directory Schema
- Access Control
- Replication (Shadowing)
- Families of Entries
- Hierarchical Groups
- Mapping Based Searches
- X.500 Service Concept
- X.500 Service Administration
- Data Privacy Protection
- ISSS Schema
Tutorial section 2
X.509 specific
- X.509 Introduction
- Public-key Certificates
- Public-Key Infrastructure (PKI)
- Attribute Certificates
- Privilege Management Infrastructure (PMI)
- X.509 Extentions
- Protecting a directory
X.509 at work
Search
Data Privacy Protection
Reasons for data privacy protection
Within many applications of directories, for example within electronic commerce and White Pages services, information about what we will call subscribers is stored in directories. Subscribers can be private persons, persons within an organization, the organizations themselves and their organizational units. Some of the information about a subscriber may have been supplied by that subscriber for a particular purpose and should not be misused for other purposes. As an example, a subscriber may not want the information stored about it to be used for unsolicited marketing.
The following gives a short overview of the X.500 data privacy protection features.
Partners in data retrieval and protection
Figure 1 - Partners in data retrieval and protection
There are in principle three partners in a data protection situation as shown in the figure above:
- The accessing user trying to get useful information. This can be for a legitimate purpose, but it could also be for a somewhat suspect purpose.
- The subscriber, i.e. the person or organization about which data is placed in the directory. This subscriber may have quite legitimate requirements on how its data may be disclosed to different classes of accessing users.
- The administrative authorities that are responsible for establishing the required protection of the data and at the same time gives a useful service to accessing users.
Besides establishing protection for the data in the directory, the administrator also has the responsibility for ensuring that the stored information is correct. This is also a personal data protection issue. It may impair a person's integrity if misleading information is returned to accessing users.
Protection parameters
There are many aspects of protection of data:
- Different user classes may have different right to see certain pieces of information and certain combinations of information. To give the proper permission or denial to information, the accessing user's identity has to be established.
- The sensitive level of the information also determines what can be returned to whom.
- The subscriber represented in the directory may have special requirements and desires as to how the stored information shall be treated.
- The administrator may have additional concerns, such as protecting the investment in the stored information.
- Legislation causes additional limitations on the disposition of the stored information.
Protection of information involves:
- Each individual piece of information needs protection with respect to what operations can be performed by whom.
- Not only individual pieces of information need to be protected, but also retrieving certain combinations may be suspicious.
- Bulk retrieval of information may not be desirable for different reasons. It could make information available at other places with less protection features; it may be used for mass sales; etc.
Some of the above issues are handled in more details in the following.
Authentication of users
The X.500 standard (X.509) is the main source for definitions of digital signatures to be used for strong authentication during logon allowing for sure identification of an accessing user. The accessing user can get the same assurance about the identity of the accessed directory server.
Every message going backed and forth can be signed. The identity of the sending entity can thereby be ensured for each separate message.
Digital signatures also allow for message integrity, that is, messages cannot be changed on route without detection.
Confidentiality
Messages might be intercepted. It might be required to encrypt messages. The X.500 standard has no facilities for encryption of messages. However, encryption is possible using underlying services, such as Secure Socket Layer (SSL).
Access Control
Figure 2 - Access control
The figure above illustrates the basic principle of access control. Each piece of information, also called a protected item, can be protected against unauthorized access. A protected item can be all the information stored about a subscriber, or it can be a particular piece of such information, for example a secret telephone number.
The access control can be related to different types of operations. As an example, a user may be allowed to be read information, but not to modify it.
At the extreme, an accessing user may not even know the existence of a certain piece of information.
Suspicious searches
A directory service will often be for one or more distinct purposes. A White Pages service is used for finding a telephone number or e-mail address, etc. Any other retrieval of information may be suspicious, and the administrator might want to prevent that. It depends on user class whether a particular search can be labeled suspicious or not.
Examples of potentially suspicious searches:
- Search for all persons with a specific profession;
- Search for all people on a street;
- Search on the last three letters of persons' names;
- Search within a locality for persons without e-mail address;
- Search resulting in many entries returned; and
- Whatever we haven't thought of.
Some searches may be used for retrieving information for bulk marketing, which might be a violation of a personal data protection act. Some searches may be attempting to retrieve information about people of a particular ethnic group. Other searches may have as purpose to retrieve (steal) bulk information for establishing own directory service or to be sold to third party. This could again be a breach of the privacy, as the information may then be used for other things than for which it is indented. A subscriber may give information to a directory service with the understanding that it is used for a well defined purpose.
Tools for data privacy protection
It is not possible to identify all the types of data protection situations now and in the future. X.500 has therefore very versatile tools for accommodating any conceivable data protection situation.
An administrator is able to restrict the directory searches to a pre-defined set. Each such search is defined by specifying what search criteria shall be provided, which may optionally be provided, and which shall not be provided. Legal and illegal combinations of search criteria can also be specified. In this way, it is possible to allow only very targeted searches resulting in limited and appropriate results for the service offered.
For each service (search type) provided, it is possible to tailor the output for each entry returned (see service administration).
Figure 3 - Fake address
The figure above illustrates an example on how output can be adapted to specific requirements. A subscriber may have several postal addresses. In the example, the subscriber has a real address and a fake address. The subscriber wants the fake address returned, even if it is the real address that partly fulfils the search criteria. It is, of course, also possible to have no address returned, but that could make it too obvious that the user is trying to hide its postal address.
A subscriber may also have its address in several languages and may independently of the search criteria wants the address to be returned in a particular language. As an example, a Belgian subscriber may want, say, the Flemish address returned even when an accessing user supplies addressing search criteria in French.