General

The Directory Standards define various means of authentication between DUAs and DSAs and also between two DSAs.

As specified by the Directory Standards, the means of authentication at the time of establishment of an association (i.e. at Bind-time), for DAP, DSP, DOP, and DISP, are:

• None-no credentials are supplied
• Simple unprotected authentication, with or without password: each authenticating party supplies a name and optionally a password
• Simple protected authentication: each authenticating party supplies a name and a password whose information is transmitted in hashed form to preserve password confidentiality and to prevent replay
• Strong authentication in which each authenticating party supplies a token signed with a digital signature which can be verified by the other

The Directory standards also permit other forms of authentication at the time of association establishment, whereby credentials are passed by “external” elements. Such means are outside the scope of this part of ISO/IEC ISP 15125.

In addition, the Directory Standards define a method whereby certain DAP, DSP, or DISP enquiries and results can be authenticated and sealed by means of a digital signature.¹

This part of ISO/IEC ISP 15125 profiles:

• Simple unprotected authentication, with or without password, between two DSAs
• Simple protected authentication between two DSAs
• Strong authentication between two DSAs
• Signed DSP and DISP invokes and return-results exchanged between two DSAs

It also profiles the behaviour of a DSA in combining signed uncorrelated list and search information as returned by DSP return results.

It also profiles the use of the originator element to convey information about the originator of the DAP association within which an operation is created.

Since there are many options and possibilities in the use of these techniques, this part of ISO/IEC ISP 15125 does not attempt to specify how each facility shall be used. This results in certain features (e.g. the double-hashing technique described in the last paragraph of [ISO/IEC 9594-8 : 1995 | ITU-T Rec. X.509 (1993)] subclause 6.2) being considered as out-of-scope.

DSAs are also permitted to bind to each other using no credentials at all. However, this possibility is outside the scope of this part of ISO/IEC ISP 15125.

Position within the taxonomy

This part of ISO/IEC ISP 15125 is identified in ISO/IEC TR 10000-2 as “ADY43 — DSA to DSA Authentication”.

Scenario

This part of ISO/IEC ISP 15125 profiles simple and strong authentication between DSAs (BIND dialogue in Figure 1) in the establishment of DSP, DOP and DISP Associations, and signed operations between DSAs (OPERATION dialogue in Figure 1) within these Associations. It also profiles the handling of uncorrelated list and search results (see right-hand-side of diagram) within DSP (there is no analogue for this within DOP and DISP).