论文信息 - Design and Implementation of LDAP Component Matching for Flexible and Secure Certificate Access in PKI

Design and Implementation of LDAP Component Matching for Flexible and Secure Certificate Access in PKI

Lightweight Directory Access Protocol (LDAP) is the predominant Internet directory access protocol and hence so is its use in the Public Key Infrastructure (PKI). This paper presents the design and implementation of LDAP component matching which enhances flexibility and security of the LDAP directory service when it is used for the PKI certificate repositories. The component matching together with the prerequisite ASN.1 awareness enables matching against arbitrary components of certificates and enables matching of composite values at the abstraction layer of the underlying ASN.1 type definition. This allows searching for certificates with matching components without the need of providing syntax specific parsing and matching routines (flexibility), without the need of extracting the certificate components and storing them into separate attributes which become searchable but mutable (security), and without the need of restructuring Directory Information Tree (DIT) to support multiple certificates per subject (manageability and performance). In this paper, we describe the architecture, key data structures, and the proposed methods of enhancing interoperability and performance of our component matching implementation in the OpenLDAP open source directory software suite. We also propose the use of component matching in on-line certificate validation and in Web services security. Through performance evaluation of the OpenLDAP component matching, we show that our LDAP component matching implementation exhibits the same or higher performance compared to the previous approaches.

Sang Seok Lim | J. Choi | K. Zeilenga

[1] P. T. Barry,et al. Abstract syntax notation-one (ASN.1) , 1992 .

[2] Tim Howes,et al. Lightweight Directory Access Protocol , 1995, RFC.

[3] Francois Yergeau. UTF-8, a transformation format of ISO 10646 , 1998, RFC.

[4] Paul C. Kocher. On Certificate Revocation and Validation , 1998, Financial Cryptography.

[5] Russ Housley,et al. Internet X.509 Public Key Infrastructure Certificate and CRL Profile , 1999, RFC.

[6] Moni Naor,et al. Certificate revocation and certificate update , 1998, IEEE Journal on Selected Areas in Communications.

[7] David W. Chadwick,et al. Returning Matched Values with LDAPv3 , 2002 .

[8] Jeff Hodges,et al. Lightweight Directory Access Protocol (v3): Technical Specification , 2002, RFC.

[9] D. Chadwick,et al. Modifying LDAP to Support X . 509-basedPKIs , 2003 .

[10] David W. Chadwick,et al. Deficiencies in LDAP when used to support PKI , 2003, Commun. ACM.

[11] Phillip Hallam-Baker,et al. Web services security: soap message security , 2003 .

[12] Peter Gietz,et al. Internet X.509 Public Key Infrastructure Lightweight Directory Access Protocol Schema for X.509 Certificates , 2004 .

[13] Kurt D. Zeilenga,et al. Secure and flexible certificate access in WS-security through LDAP component matching , 2004, SWS '04.

[14] Regina Dunlea,et al. Simple Object Access Protocol (SOAP) , 2005 .