ACP 137
ACP 137
ACP 137
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
UNCLASSIFIED<br />
<strong>ACP</strong> <strong>137</strong><br />
417. Nations will normally only pass changes since the last update in the data file. To<br />
assure synchronization of the replicated DIT structure with the mastering nation, nations<br />
should send a complete refresh (full national DIT structure excluding high level DIT) to the<br />
replicating partners on an agreed schedule (see paragraph 462).<br />
418. SHA-1 shall be used for the data file hash. SHA-1 produces a 20-octet message<br />
digest from a source, in this case the data file. This digest will be relayed to the replication<br />
peer as a text-based representation of the hexadecimal digest value (i.e. 40 ASCII characters<br />
that represent digits 0 - 9 and characters A – F).<br />
DATA CONFIDENTIALITY<br />
419. The underlying network on which the email and military message is being transported<br />
will supply confidentiality of replicated data. There is no requirement for encryption beyond<br />
the underlying network.<br />
DATA ACCESS CONTROL<br />
420. It is assumed that all shared national DIT entries would be for unrestricted read<br />
access. Thus, there is no need for nations to include access control information in the data<br />
files.<br />
421. Receiving nations must ensure that users cannot modify the replicated DIT structure.<br />
How a nation protects replicated DIT entries from unauthorized modification is a national<br />
matter and outside the scope of this document.<br />
RECEIVED DATA CONTENT INTEGRITY<br />
422. As well as the presence of a hash checksum to ensure that the information has<br />
traversed the network without inadvertent changes, nations must ensure that the data file<br />
received contains valid information from the sending nation. Checking could include:<br />
a. Validation that the file does not contain entries associated with another nation’s<br />
DIT structure (e.g. UK entries in a US LDIF file). This may be achieved by checking<br />
the distinguished names (DNs) of all the entries in the LDIF file to verify correct<br />
placement of those entries in the sending nation’s DIT.<br />
b. Validation that the country code of the sending nation is contained within the<br />
RHS of all email addresses within the LDIF files they are receiving. It is unlikely<br />
that a similar check is required for X.400 addresses although this will depend on the<br />
messaging architecture.<br />
4-5<br />
UNCLASSIFIED<br />
Original