Principales variables que influyen en la calidad poscosecha

A variety of protocols are under consideration to facilitate the distribution of digital certificates. These include widely used file retrieval mechanisms (such as FTP and HTTP) or specifically designed directory access protocols (such as LDAP). Because FTP and HTTP are assumed to be understood, only LDAP is discussed (in the following section) to give a high-level view of what it is.

Lightweight Directory Access Protocol

The Lightweight Directory Access Protocol (LDAP) is used for accessing online directory services. LDAP was developed by the University of Michigan in 1995 to make it easier to access X.500 directories. X.500 was too complicated and required too much computer power for many users so a simplified version was created. LDAP is specifically targeted at manage-ment applications and browser applications that provide read/write interactive access to directories. When used with a directory that supports the X.500 protocols, LDAP is intended to be a complement to the X.500 DAP. The LDAP V2 protocol is defined in RFC 1777. Currently, work is in progress on Version 3 (an Internet draft).

LDAP runs directly over TCP and can be used to access a stand-alone LDAP directory service or to access a directory service that is back-ended by X.500. The standard defines the following:

A network protocol for accessing information in the directory ●

An information model defining the form and character of the information (called a schema) ●

A namespace defining how information is referenced and organized ●

An emerging distributed operation model defining how data may be distributed and referenced (in Version 3)

●

The general model adopted by LDAP is one of clients performing protocol operations against servers. In this model, a client transmits a protocol request describing the operation to be performed to a server. The server is then responsible for performing the necessary operation(s) in the directory. After completing the operation(s), the server returns a response containing any results or errors to the requesting client.

In LDAP Versions 1 and 2, no provision was made for protocol servers returning referrals to clients. Rather, if the LDAP server does not know the answer to a query, it goes to another server for the

information rather than sending a message to the user telling the user to go to that other server. However, for improved performance and distribution, this version of the protocol permits servers to return client's referrals to other servers. This approach allows servers to offload the work of contacting other servers to progress operations.

The LDAP protocol assumes that there are one or more servers that jointly provide access to a Directory

Information Tree (DIT). Each tree is made up of entries that contain names and one or more attribute

values from the entry form its relative distinguished name (RDN), which must be unique among all its siblings. The concatenation of the RDNs of the sequence of entries from a particular entry to an

immediate subordinate of the root of the tree forms that entry's distinguished name (DN), which is unique in the tree.

Some servers may hold cache or shadow copies of entries, which can be used to answer search and comparison queries, but will return referrals or contact other servers if modification operations are requested.

Summary

This chapter detailed many of the current and evolving technologies relating to security. One of the most important security considerations is establishing the identity of the entity that wants to access the

corporate network. This process usually entails authenticating the entity and subsequently authorizing that entity and establishing access controls. Some protocols are specifically designed to only authenticate end-users (people) or end-devices (hosts, routers). Frequently, you have to combine the two protocols so that both end-users and the end-devices they are using to access the network are authenticated.

In addition to establishing identity, you must ensure data integrity and confidentiality; that is, you must protect the data traversing the corporate network. Many technologies exist to provide security services for various TCP/IP layers. Although Application layer security protocols provide the most flexibility for application-specific parameters, using a different security protocol for every application is not practical. Transport security protocols such as SSL and SSH are widely deployed. SSL is bundled into many Web servers and clients and has become a de facto standard in securing Web transactions; SSH is most often used for securing Telnet or FTP transactions. IPsec is becoming widely deployed and can offer security services for the Transport and Application layer traffic on a per-packet basis. IPsec should be able to secure Telnet, FTP, and Web traffic but may be harder to scale until client support is more readily available on many platforms.

For dial-in security, protocols such as L2F, PPTP, and L2TP can offer many advantages for corporations. These protocols can provide a way for dial-in users to use the Internet to securely communicate back to the corporate network. However, the packets traversing the secured tunnels are not protected, and it is prudent to add more security with Transport or Network layer security protocols to protect the traffic. Many of the security protocols discussed in this chapter require either an exchange of crypto-graphic keys or digital certificates. A PKI is required to provide trusted and efficient key and certificate

management. PKIs are being implemented in corporations or in a more global fashion, but this particular area is still developing and should be watched carefully in the upcoming years.

All the technologies discussed in this chapter will keep evolving; those readers interested in additional technical details and the latest developments should refer to the work performed by the IETF working groups, which is listed in Appendix A, "Sources of Technical Information."

Posted: Wed Jun 14 11:41:05 PDT 2000