rev 04

2025-03-07 14:18:15 +08:00 · 2000-12-18 20:11:30 +00:00 · 2000-12-18 20:11:30 +00:00 · c62f6d124c
commit c62f6d124c
parent c19462d44e
1 changed files with 245 additions and 182 deletions
--- a/doc/drafts/draft-ietf-ldapext-matchedval-xx.txt
+++ b/doc/drafts/draft-ietf-ldapext-matchedval-xx.txt
@ -2,17 +2,17 @@ Internet-Draft                                      David Chadwick
 LDAPExt WG                       		   University of Salford      
 Intended Category: Standards Track                     Sean Mullan
 								  Sun Microsystems
-Expires: 1 January 2001                             1 July 2000
+Expires: 15 April 2001                             16 October 2000
 Returning Matched Values with LDAPv3
-<draft-ietf-ldapext-matchedval-02.txt>
+<draft-ietf-ldapext-matchedval-04.txt>
 STATUS OF THIS MEMO
 This document is an Internet-Draft and is in full conformance with 
-all the provisions of Section 10 of RFC2026.
+all the provisions of Section 10 of RFC2026 [1].
 Internet-Drafts are working documents of the Internet Engineering 
 Task Force (IETF), its areas, and its working groups. Note that other
@ -29,10 +29,13 @@ http://www.ietf.org/ietf/1id-abstracts.txt.
 The list of Internet-Draft Shadow Directories can be accessed at
 http://www.ietf.org/shadow.html.
-This Internet-Draft expires on 1 January 2001. Comments and 
+This Internet-Draft expires on 15 April 2001. 
-suggestions on this document are encouraged. Comments on this 
+
-document should be sent to the LDAPExt working group discussion list:
+Comments and suggestions on this document are encouraged. Comments on 
 this document should be sent to the LDAPEXT working group discussion 
 list:
                ietf-ldapext@netscape.com
 or directly to the authors.
@ -48,28 +51,28 @@ values locally.
 1. Introduction
-When reading an attribute from an entry using LDAP v2 [1] or LDAPv3 
+When reading an attribute from an entry using LDAPv3 [2], it is 
-[2], it is normally only possible to read either the attribute type, 
+normally only possible to read either the attribute type, or the 
-or the attribute type and all its values. It is not possible to 
+attribute type and all its values. It is not possible to selectively 
-selectively read just a few of the attribute values. If an attribute 
+read just a few of the attribute values. If an attribute holds many 
-holds many values, for example, the userCertificate attribute, or the 
+values, for example, the userCertificate attribute, or the subschema 
-subschema publishing operational attributes objectClasses and 
+publishing operational attributes objectClasses and attributeTypes 
-attributeTypes [3], then it may be desirable for the user to be able 
+[3], then it may be desirable for the user to be able to selectively 
-to selectively retrieve a subset of the values, specifically, those 
+retrieve a subset of the values, specifically, those attribute values 
-attribute values that match some user defined selection criteria. 
+that match some user defined selection criteria. Without the control 
-Without the control specified in this [ID/standard] a client must 
+specified in this [ID/standard/document] a client must read all of 
-read all of the attribute's values and filter out the unwanted 
+the attribute's values and filter out the unwanted values, 
-values, necessitating the client to implement the matching rules. It 
+necessitating the client to implement the matching rules. It also 
-also requires the client to potentially read and process many 
+requires the client to potentially read and process many irrelevant 
-irrelevant values, which can be inefficient if the values are large 
+values, which can be inefficient if the values are large or complex, 
-or complex, or there are many values stored per attribute.
+or there are many values stored per attribute.
-This Internet Draft specifies an LDAPv3 control to enable a user to 
+This [ID/Standard/document] specifies an LDAPv3 control to enable a 
-return only those values that matched (i.e. returned TRUE to) one or 
+user to return only those values that matched (i.e. returned TRUE to) 
-more elements of a newly defined "values return" filter. This control 
+one or more elements of a newly defined "values return" filter. This 
-can be especially useful when used in conjunction with extensible 
+control can be especially useful when used in conjunction with 
-matching rules that match on one or more components of complex binary 
+extensible matching rules that match on one or more components of 
-attribute values.
+complex binary attribute values.
 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",  
 "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this 
@ -79,14 +82,24 @@ document are to be interpreted as described in RFC 2119 [5].
 2. The valuesReturnFilter Control
 The valuesReturnFilter control MAY be critical or non-critical as 
-determined by the user. It is only applicable to the Search 
+determined by the user. It only has meaning for the Search operation, 
-operation, and SHALL be ignored by the server if it is present on any 
+and SHOULD only be added to the Search operation by the client. If 
-other LDAP operation (even if marked critical on such operations).
+the server supports the control and it is present on a Search 
 operation, the server MUST obey the control regardless of the value 
 of the criticality flag. 
 If the control is marked as critical, and either the server does not  
 support the control or the control is applied to an operation other 
 than Search, then the server MUST return an 
 unavailableCriticalExtension error.  If the control is not marked as 
 critical, and either the server does not support the control or the 
 control is applied to an operation other than Search, then the server
 MUST ignore the control.
 The object identifier for this control is 1.2.826.0.1.3344810.2.3
-
+The controlValue is an OCTET STRING, whose value is the BER encoding 
-The controlValue is 
+of a value of the type ValuesReturnFilter.
        ValuesReturnFilter ::= SEQUENCE OF SimpleFilterItem
@ -102,6 +115,7 @@ The controlValue is
         SimpleMatchingAssertion ::= SEQUENCE {
                matchingRule    [1] MatchingRuleId OPTIONAL,
                type            [2] AttributeDescription OPTIONAL,
 --- at least one of the above must be present
                matchValue      [3] AssertionValue}
 All the above data types have their standard meanings as defined in 
@ -111,8 +125,8 @@ If the server supports this control, the server MUST make use of the
 control as follows:
 (1) The Search Filter is first executed in order to determine 
-which entries satisfy the Search criteria. The control has no 
+which entries satisfy the Search criteria (these are the 
-impact on this step.
+filtered entries). The control has no impact on this step.
 (2) If the typesOnly parameter of the Search Request is TRUE, 
 the control has no effect and the Search Request SHOULD be 
@ -125,213 +139,241 @@ has no effect and the Search Request SHOULD be processed as if
 the control had not been specified.
 (4) For each attribute listed in the attributes parameter of the 
-Search Request, the server MUST apply the control as follows:
+Search Request, the server MUST apply the control as follows to 
 each entry in the set of filtered entries:
 i) Every attribute value that evaluates TRUE against one or 
 more elements of the ValuesReturnFilter is placed in the 
-SearchResultEntry.
+corresponding SearchResultEntry.
 ii) Every attribute value that evaluates FALSE or undefined 
 against all elements of the ValuesReturnFilter is not 
-placed in the SearchResultEntry. An attribute that has no 
+placed in the corresponding SearchResultEntry. An 
-values selected is returned with an empty set of vals.
+attribute that has no values selected is returned with an 
 empty set of vals.
-Editor's Note. There is possibly a more efficient but slightly more 
+Note. If the AttributeDescriptionList is empty or comprises "*" 
-complex way of achieving the value filtering. An alternative is to 
+then the control MUST be applied against every attribute.
 remove the 'present' SimpleFilterItem (which obviously evaluates true 
 for every attribute value of the 'present' attribute description), 
 and to say that any attribute whose type is not mentioned in the 
 ValuesReturnFilter is not filtered and has all its attribute values 
 returned. Comments please.
 3. Relationship to X.500
-The control is a superset of the matchedValuesOnly boolean of the 
+The control is a superset of the matchedValuesOnly (MVO) boolean of 
-X.500 DAP [4] Search argument, as amended in the latest version [6].
+the X.500 DAP [4] Search argument, as amended in the latest version 
-Close examination of the matchedValuesOnly boolean by the LDAPExt 
+[6]. Close examination of the matchedValuesOnly boolean by the 
-group revealed ambiguities and complexities in the MVO boolean that 
+LDAPEXT group revealed ambiguities and complexities in the MVO 
-could not easily be resolved. For example, are only those attribute 
+boolean that could not easily be resolved. For example, it was not 
-values that contributed to the overall truth of the filter governed 
+clear if the MVO boolean governed only those attribute values that 
-by the MVO boolean, or all values of attributes in the filter 
+contributed to the overall truth of the filter, or all of the 
-governed by the MVO boolean, even if the filter item containing the 
+attribute values even if the filter item containing the attribute 
-attribute evaluated to false. For this reason the LDAP group decided 
+evaluated to false. For this reason the LDAPEXT group decided to 
-to replace the MVO boolean with a simple filter that removes any 
+replace the MVO boolean with a simple filter that removes any 
 uncertainty as to whether an attribute value has been selected or 
 not. 
-4. Examples
+4. Relationship to other LDAP Controls
-(1) The first example simply shows how the control can be used to 
+The purpose of this control is to select zero, one or more attribute 
-selectively read a subset of attribute values. 
+values from each requested attribute in a filtered entry, and to 
 discard the remainder. Once the attribute values have been discarded 
 by this control they MUST NOT be re-instated into the Search results 
 by other controls. 
-The entry below represents a groupOfNames object class containing 
+This control acts independently of other LDAP controls such as server 
-several members from different organizations.
+side sorting [10] and duplicate entries [7]. However, there might be 
 interactions between this control and other controls so that a 
 different set of Search Result Entries are returned, or the entries 
 are returned in a different order, depending upon the sequencing of 
 this control and other controls in the LDAP request. For example, 
 with server side sorting, if sorting is done first, and value return 
 filtering second, the set of Search Results may appear to be in the 
 wrong order since the value filtering may remove the attribute values 
 upon which the ordering was done. (The sorting document specifies 
 that entries without any sort key attribute values should be treated 
 as coming after all other attribute values.) Similarly with duplicate 
 entries, if duplication is performed before value filtering, the set 
 of Search Result Entries may contain identical duplicate entries, 
 each with an empty set of attribute values, because the value 
 filtering removed the attribute values that were used to duplicate 
 the results.
-cn: Cross Organizational Standards Body
+For these reasons it is recommended that the ValuesReturnFilter 
-member: cn=joe,o=acme
+control in a SearchRequest SHOULD precede other controls that affect 
-member: cn=alice,o=acme
+the number and ordering of SearchResultEntrys.
-member: cn=bob,o=foo
+
-member: cn=sue,o=bar
+
 5. Examples
 All entries are provided in LDIF format [8].
 The string representation of the valuesReturnFilter in the examples 
 below uses the notation defined in RFC 2254 [11].
 (1) The first example shows how the control can be set to return all 
 attribute values from one attribute type (e.g. telephoneNumber) and a 
 subset of values from another attribute type (e.g. mail).
 The entries below represent organizationalPerson object classes 
 located somewhere beneath the distinguished name dc=ac, dc=uk.
 dn: cn=Sean Mullan, ou=people, dc=sun, dc=ac, dc=uk
 cn: Sean Mullan
 sn: Mullan
 objectClass: organizationalPerson
 objectClass: person
 objectClass: inetOrgPerson
 mail: sean.mullan@hotmail.com
 mail: mullan@east.sun.com
 telephoneNumber: + 781 442 0926
 telephoneNumber: 555-9999
 dn: cn=David Chadwick, ou=isi, o=salford, dc=ac, dc=uk 
 cn: David Chadwick
 sn: Chadwick
 objectClass: organizationalPerson
 objectClass: person
 objectClass: inetOrgPerson
 mail: d.w.chadwick@salford.ac.uk
 An LDAP search operation is specified with a baseObject set to the
-DN of the entry, a baseObject scope, a filter set to 
+DN of the search base (i.e. dc=ac, dc=uk), a subtree scope, a filter 
-"member=*o=acme", and the list of attributes to be returned set to 
+set to (sn=mullan), and the list of attributes to be returned set to 
-"member". In addition, a ValuesReturnFilter control is set to 
+"mail, telephoneNumber". In addition, a ValuesReturnFilter control is 
-"member=*o=acme".
+set to ((mail=*hotmail.com)(telephoneNumber=*))
 The search results returned by the server would consist of the 
 following entry:
-cn: Cross Organizational Standards Body
+dn: cn=Sean Mullan, ou=people, dc=sun, dc=ac, dc=uk
-member: cn=joe, o=acme
+mail: sean.mullan@hotmail.com
-member: cn=alice, o=acme
+telephoneNumber: + 781 442 0926
 (2) The second example shows how the control can be set to match on 
 attributes that are (mail) and are not (telephoneNumber) part of the 
 search filter. It also shows how a user can filter some attribute 
 values (mail) and not others (telephoneNumber).
 The entries below represent inetOrgPerson [7] object classes located
 below some distinguished name in the directory.
 cn: Sean Mullan
 mail: sean.mullan@sun.com
 mail: mullan@east.sun.com
 telephoneNumber: +1 781 442 0926
 telephoneNumber: 555-9999
 cn: David Chadwick
 mail: d.w.chadwick@salford.ac.uk
 An LDAP search operation is specified with a baseObject set to the
 DN of the entry, a subtree scope, a filter set to 
 "(|(mail=sean.mullan@sun.com)(mail=d.w.chadwick@salford.ac.uk))", and 
 the list of attributes to be returned set to "mail telephoneNumber". 
 In addition, a ValuesReturnFilter control is set to 
 "mail=sean.mullan@sun.com, mail=d.w.chadwick@salford.ac.uk, 
 telephoneNumber=*"
 The search results returned by the server would consist of the 
 following entries:
 cn: Sean Mullan
 mail: sean.mullan@sun.com
 telephoneNumber: +1 781 442 0926
 telephoneNumber: 555-9999
 cn: David Chadwick
 mail: d.w.chadwick@salford.ac.uk
 Note that the control has no effect on the values returned for the 
 "telephoneNumber" attribute (all of the values are returned), since 
 the control specified that all values should be returned.
 (3) The third example shows how one might retrieve a single attribute 
 type schema definition for the "gunk" attribute with OID 1.2.3.4.5
-Assume the subschema subentry is held somewhere below the root entry 
+(2) The second example shows how one might retrieve a single 
-with RDN "subschema subentry", and this holds an attributeTypes 
+attribute type subschema definition for the "gunk" attribute with OID 
 1.2.3.4.5 from the subschema subentry 
 Assume the subschema subentry is held below the root entry with DN 
 cn=subschema subentry, o=myorg and this holds an attributeTypes 
 operational attribute holding the descriptions of the 35 attributes 
 known to this server (each description is held as a single attribute 
 value of the attributeTypes attribute). 
 dn: cn=subschema subentry, o=myorg
 cn: subschema subentry
 objectClass: subschema
 attributeTypes: ( 2.5.4.3 NAME 'cn' SUP name )
 attributeTypes: ( 2.5.4.6 NAME 'c' SUP name SINGLE-VALUE )
 attributeTypes: ( 2.5.4.0 NAME 'objectClass' EQUALITY
-objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
+ objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
 attributeTypes: ( 2.5.18.2 NAME 'modifyTimestamp' EQUALITY
-generalizedTimeMatch ORDERING generalizedTimeOrderingMatch
+ generalizedTimeMatch ORDERING generalizedTimeOrderingMatch
-SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE NO-USER-
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE NO-USER-
-MODIFICATION USAGE directoryOperation )
+ MODIFICATION USAGE directoryOperation )
 attributeTypes: ( 2.5.21.6 NAME 'objectClasses' EQUALITY
-objectIdentifierFirstComponentMatch SYNTAX 
+ objectIdentifierFirstComponentMatch SYNTAX
-1.3.6.1.4.1.1466.115.121.1.37 USAGE directoryOperation )
+ 1.3.6.1.4.1.1466.115.121.1.37 USAGE directoryOperation )
 attributeTypes: ( 1.2.3.4.5 NAME 'gunk' EQUALITY caseIgnoreMatch
-SUBSTR caseIgnoreSubstringsMatch SYNTAX 
+ SUBSTR caseIgnoreSubstringsMatch SYNTAX
-1.3.6.1.4.1.1466.115.121.1.44{64} )
+ 1.3.6.1.4.1.1466.115.121.1.44{64} )
 attributeTypes: ( 2.5.21.5 NAME 'attributeTypes' EQUALITY
-objectIdentifierFirstComponentMatch SYNTAX 
+ objectIdentifierFirstComponentMatch SYNTAX
-1.3.6.1.4.1.1466.115.121.1.3 USAGE directoryOperation )
+ 1.3.6.1.4.1.1466.115.121.1.3 USAGE directoryOperation )
 plus another 28 - you get the idea.
 The user creates an LDAP search operation with a baseObject set to 
-root, a subtree scope, a filter set to "objectClass=subschema", the 
+cn=subschema subentry, o=myorg, a scope of base, a filter set to 
-list of attributes to be returned set to "attributeTypes", and the 
+(objectClass=subschema), the list of attributes to be returned set to 
-ValuesReturnFilter set to "attributeTypes=1.2.3.4.5"
+"attributeTypes", and the ValuesReturnFilter set to 
 (attributeTypes=1.2.3.4.5)
 The search result returned by the server would consist of the 
 following entry:
-cn: subschema subentry
+dn: cn=subschema subentry, o=myorg
 attributeTypes: ( 1.2.3.4.5 NAME 'gunk' EQUALITY caseIgnoreMatch
-SUBSTR caseIgnoreSubstringsMatch SYNTAX 
+ SUBSTR caseIgnoreSubstringsMatch SYNTAX
-1.3.6.1.4.1.1466.115.121.1.44{64} )
+ 1.3.6.1.4.1.1466.115.121.1.44{64} )
 (4) The final example shows how the control can be set to match on 
 attributes that are not part of the search filter. For example, 
 searching for all entries that have an email address in the
 sun.com domain, and returning the telephone number for any attribute
 values that start with "555". 
-The entries below represent inetOrgPerson [7] object classes located
+(3) The final example shows how the control can be used to match on a 
-below some distinguished name in the directory.
+userCertificate attribute value with a particular key usage bit set 
 (in this case the key encipherment bit). Note that this example 
 requires the LDAP server to support the certificateMatch matching 
 rule defined in [9] and extensible matching.
-cn: Sean Mullan
+The entry below represent a pkiUser object class stored in the 
-mail: sean.mullan@sun.com
+directory.
 mail: mullan@east.sun.com
 telephoneNumber: +1 781 442 0926
 telephoneNumber: 555-9999
-cn: David Chadwick
+dn: cn=David Chadwick + serialNumber=123456, ou=people, o=University
 of Salford, c=gb
 cn: David Chadwick + serialNumber=123456
 objectClass: person 
 objectClass: organizationalPerson 
 objectClass: pkiUser 
 objectClass: inetOrgPerson
 sn: Chadwick
 mail: d.w.chadwick@salford.ac.uk
 userCertificate: {binary representation of certificate including key 
 usage bit of digitalSignature (0)}
 userCertificate: {binary representation of certificate including key 
 usage bit of nonRepudiation (1)}
 userCertificate: {binary representation of certificate including key 
 usage bit of key encipherment (2)}
 userCertificate: {binary representation of certificate including key 
 usage bit of data encipherment (3)}
-An LDAP search operation is specified with a baseObject set to the
+An LDAP search operation is specified with a baseObject set to 
-DN of the entry, a subtree scope, a filter set to "mail=*sun.com", 
+o=University of Salford, c=gb, a subtree scope, a filter set to 
-and the list of attributes to be returned set to "telephoneNumber". 
+(sn=chadwick) and the list of attributes to be returned set to 
-In addition, a ValuesReturnFilter control is set to
+"userCertificate;binary". In addition, a ValuesReturnFilter control 
-"telephoneNumber=555*"
+is set to (userCertificate:2.5.13.35:=USE'001'B)
-The search results returned by the server would consist of the 
+The search result returned by the server would consist of the 
 following entry:
-cn: Sean Mullan
+dn: cn=David Chadwick + serialNumber=123456, ou=people, o=University
-telephoneNumber: 555-9999
+ of Salford, c=gb
 userCertificate;binary: {binary representation of certificate with 
 key usage bit of key encipherment (2)}
-5. Security Considerations
+6. Security Considerations
-This Internet Draft does not discuss security issues at all. 
+This [ID/standard/document] does not primarily discuss security 
 issues. 
-Note that attribute values MUST only be returned if the access 
+Note however that attribute values MUST only be returned if the 
-controls applied by the LDAP server allow them to be returned, and in 
+access controls applied by the LDAP server allow them to be returned, 
-this respect the effect of the ValuesReturnFilter control is of no 
+and in this respect the effect of the ValuesReturnFilter control is 
-consequence.
+of no consequence.
 Note that the ValuesReturnFilter control may have a positive effect 
 on the deployment of public key infrastructures. Certain PKI 
 operations, like searching for specific certificates, become more 
-practical (when combined with X.509 certificate matching rules at the 
+practical when combined with X.509 certificate matching rules at the 
-server) and more scalable, since the control avoids the downloading 
+server, and more scalable, since the control avoids the downloading 
 of potentially large numbers of irrelevant certificates which would 
 have to be processed and filtered locally (which in some cases is 
 very difficult to perform).
-6. Acknowledgements
+7. Acknowledgements
 The authors would like to thank members of the LDAPExt list for their 
-constructive comments on earlier versions of this draft, and in 
+constructive comments on earlier versions of this 
-particular to Harald Alvestrand who first suggested having an 
+[ID/standard/document], and in particular to Harald Alvestrand who 
-attribute return filter and Bruce Greenblatt who first proposed a 
+first suggested having an attribute return filter and Bruce 
-syntax for this control.
+Greenblatt who first proposed a syntax for this control.
-7. Copyright
+8. Copyright
 Copyright (C) The Internet Society (date). All Rights Reserved.
@ -360,10 +402,10 @@ HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-8. References
+9. References
-[1] Yeong, W., Howes, T., and Kille, S. "Lightweight Directory Access 
+[1] S. Bradner. "The Internet Standards Process -- Revision 3", RFC 
-Protocol", RFC 1777, March 1995.
+2026, October 1996.
 [2] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access  
 Protocol (v3)", Dec. 1997, RFC 2251
 [3] M. Wahl, A. Coulbeck, T. Howes, S. Kille, "Lightweight Directory 
@ -373,13 +415,22 @@ Access Protocol (v3): Attribute Syntax Definitions", RFC 2252, Dec
 1993.
 [5] S.Bradner. "Key words for use in RFCs to Indicate Requirement 
 Levels", RFC 2119, March 1997.
-[6] ISO/IEC 9594 / ITU-T Rec X.511 (2000) The Directory: Abstract 
+[6] Draft ISO/IEC 9594 / ITU-T Rec X.511 (2001) The Directory: 
-Service Definition.
+Abstract Service Definition.
-[7] M. Smith. "Definition of the inetOrgPerson LDAP Object Class", 
+[7] J. Sermersheim. "LDAP Control for a Duplicate Entry 
-Internet Draft <draft-smith-ldap-inetorgperson-03.txt>, April 1999.
+Representation of Search Results", Internet Draft <draft-ietf-
 ldapext-ldapv3-dupent-04.txt>, July 2000.
 [8] G. Good. "The LDAP Data Interchange Format (LDIF) - Technical 
 Specification". RFC 2849, June 2000.
 [9] D. Chadwick, S.Legg. "Internet X.509 Public Key Infrastructure - 
 Additional LDAP Schema for PKIs and PMIs", Internet Draft <draft-
 pkix-ldap-schema-01.txt>, September 2000
 [10] T. Howes, M. Wahl, A. Anantha, "LDAP Control Extension for 
 Server Side Sorting of Search Results", RFC 2891, August 2000
 [11] T. Howes. "The String Representation of LDAP Search Filters". 
 RFC 2254, December 1997.
-
+10. Authors Addresses
 9. Authors Addresses
 David Chadwick
 IS Institute
@ -388,7 +439,7 @@ Salford M5 4WT
 England
 Email: d.w.chadwick@salford.ac.uk
-
+Tel: +44 161 295 5351
 Sean Mullan			
 Sun Microsystems
@ -398,8 +449,20 @@ Ireland
 Tel: +353 1 853 0655
 Email: sean.mullan@sun.com
-Internet-Draft   Returning Matched Values with LDAPv3     1 July 2000
+
 11. Changes since version 2
 i) Revised the examples to be more appropriate
 ii) Section on interactions with other LDAP controls added
 iii) Removed Editor's note concerning present filter
 iv) Tightened wording about its applicability to other operations 
 and use of criticality field
 Changes since version 3
 i) Mandated that at least one of type and matchingRule in 
 simpleMatchingAssertion be present
 ii) Fixed LDIF mistakes in the examples
 iii) Additional minor editorials only
 1