1 / 12

LDAP for PKI

LDAP for PKI. d.w.chadwick@salford.ac.uk. Problems. Cannot search for particular certificates or CRLs Cannot retrieve particular certificates or CRLs. Today’s Hacks. For Searching Pull out fields from certificates and create separate attributes Search for the attributes

aderyn
Download Presentation

LDAP for PKI

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. LDAP for PKI d.w.chadwick@salford.ac.uk

  2. Problems • Cannot search for particular certificates or CRLs • Cannot retrieve particular certificates or CRLs

  3. Today’s Hacks • For Searching • Pull out fields from certificates and create separate attributes • Search for the attributes • Retrieve the certificates from the same entry and hope they are the ones you want • For Retrieving • Create separate attribute types e.g. encCertificate, userCertificate • Create separate entries e.g. CN=David Chadwick (Enc) • Create separate subtrees e.g.OU=Encryption • Create child entries holding different certificates

  4. Tomorrow’s Solutions • For Searching • Use the LDAPv3 Schema • <draft-pkix-ldap-schema-01.txt> • For Retrieving • Use the Matched Values LDAPv3 extension • <draft-ldapext-matchedval-03.txt> • Overall • Use the LDAPv3 Profile for PKI • <draft-pkix-ldap-v3-03.txt>

  5. LDAPv3 Schema • New LDAP Matching Rules - taken from X.509 (2001) • Certificate Equality Match • Certificate flexible matching • CRL Equality Match • CRL flexible matching • Rules for Attribute Certificates

  6. Certificate Equality Match • User provides - • Certificate Serial Number and • Issuer Name

  7. User provides any of the following Certificate Serial Number Issuer Name Subject Key ID Authority Key ID Certificate Validity Time Private Key Validity Time Subject Public Key Algorithm ID Key Usage Subject Name Subject Alternative Name Type Certificate Policy OID Name Constraints “To” name for certificate path Certificate Match

  8. CRL Equality Match • User provides the following • CRL issuer name • Issuing time (this update) • Optionally the distribution point (R)DN

  9. CRL Match • User provides any of the following • CRL issuer name • minimum CRL number • maximum CRL number • reason for revocation • time of revocation • distribution point of CRL • authority key ID

  10. Attribute Certificate Schema • Attribute certificate exact match • Attribute certificate flexible match • Separate matching rules for 10 extensions

  11. Matched Values • ValuesReturnFilter control comprising • Sequence of Simple Filters • Control is applied after Search Filter has selected the entries • Only attribute values that match one of the Simple Filters are returned • Now ready for Last Call in LDAPExt

  12. LDAPv3 Profile • Says what features of LDAPv3 MUST, MAY or DO NOT NEED to be supported • E.g. Mandates use of AltServer in root DSE (even if it points to itself)

More Related