INTERDOMAIN GUARDIANS IN A DISTRIBUTED DIRECTORY SERVICE

The joint ISO/CCITT X.500 Directory Standard defines a highly distributed directory service. It provides easy access to names and addresses which can be distributed across directory system components potentially anywhere in the world. In general there is minimal control over the flow of directory information amongst directory system components. However, in practice there is a need to restrict the flow of directory information between domains whilst maintaining the advantages of a global directory service. This paper considers possible trust relationships between domains and describes the design of a Guardian DSA that can be used to restrict the flow of names and addresses in and out of a security domain without compromising the service available to users. In most situations a Guardian DSA operates as a restricted version of a standard directory component. In only one case, forwarding of an outgoing chained request, may a Guardian DSA act differently from a standard DSA.