Abstract
One of the impediments to a successful roll out of public key infrastructures (PKIs), is that Lightweight Directory Access Protocol (LDAP) directories do not fully support PKIs. In particular, it is not possible to search for X.509 attributes (certificates or CRLs) that match user defined criteria. This paper describes the various approaches that have been suggested for enabling users to search for X.509 attributes, namely component matching and attribute extraction. The implementation of attribute extraction in the OpenLDAP product is then described.
Chapter PDF
Similar content being viewed by others
References
W. Yeong, T. Howes, S. Kille. “X.500 Lightweight Directory Access Protocol.” RFC 1487, July 1993.
Howes, T., Kille, S., Yeong, W., Robbins, C. “The String Representation of Standard Attribute Syntaxes”. RFC 1778, March 1995
Wahl, M., Coulbeck, A., Howes, T., Kille, S. “Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions”. RFC 2252. December 1997.
Wahl, M., Howes, T., Kille, S. “Lightweight Directory Access Protocol (v3)”, RFC 2251, Dec. 1997
ITU, “Information Technology-Open Systems Interconnection-The Directory: Public-key and attribute certificate frameworks”, ITU-T Recommendation X.509, March 2000.
Wahl, M., Howes, T., Kille, S. “Lightweight Directory Access Protocol (v3)”, RFC 2251, Dec. 1997
ISO 9594-8/ITU-T Rec. X.509 (2001) The Directory: Authentication Framework
ITU-T Recommendation X.680 (1997) ∥ ISO/IEC 8824-1:1998, Information Technology-Abstract Syntax Notation One (ASN. 1): Specification of Basic Notation
ITU-T Recommendation X.690 (1997) ∥ ISO/IEC 8825-1,2,3:1998 Information technology-ASN. 1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)
D.W. Chadwick. “Deficiencies in LDAP when used to support a Public Key Infrastructure”, Communications of the ACM, March 2003/Vol 46, No. 3 pp. 99–104.
Electronic Messaging Association Challenge 2000 “Report of Federal Bridge Certification Authority Initiative and Demonstration” DRAFT 101500, August 2000 (Available from http://csrc.nist.gov/pki/documents/emareport_20001015.pdf)
EEMA/ECAF PKI Challenge Project “D8.1-Final Report”, IST-2000-25012, March 2003
D.W. Chadwick.“Internet X.509 Public Key Infrastructure-Additional LDAP Schema for PKIs and PMIs”. <draft-pkix-ldap-schema-00.txt>, July 2000
S. Legg. “LDAP & X.500 Component Matching Rules”, <draft-legg-ldapext-component-matching-11.txt>, June 2003
Legg, S., “Generic String Encoding Rules (GSER) for ASN.1 Types”, RFC 3641, October 2003.
Chadwick, D.W., Legg, S. “Internet X.509 Public Key Infrastructure-LDAP Schema and Syntaxes for PKIs”, <draft-ietf-pkix-ldap-pki-schema-00.txt>, June 2002.
Klasen, N., Gietz, P. “An LDAPv3 Schema for X.509 Certificates”,<draft-klasen-ldap-x509certificate-schema-03.txt>, July, 2003
Chadwick, D.W., Sahalayev, M. V. “Internet X.509 Public Key Infrastructure-LDAP Schema for X.509 CRLs”, <draft-ietf-pkix-ldap-crl-schema-01.txt>, June 2003
Chadwick, D.W., Sahalayev, M. V. “Internet X.509 Public Key Infrastructure-LDAP Schema for X.509 Attribute Certificates”, <draft-ietf-sahalayev-pkix-ldap-ac-schema-00.txt>, February 2003
Chadwick, D.W., Legg, S. “Internet X.509 Public Key Infrastructure-LDAP Schema and Syntaxes for PMIs”, <draft-ietf-pkix-ldap-pmi-schema-00.txt>, June 2002.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer Science + Business Media, Inc.
About this chapter
Cite this chapter
Chadwick, D.W., Ball, E., Sahalayev, M.V. (2004). Modifying LDAP to Support PKI. In: De Capitani di Vimercati, S., Ray, I., Ray, I. (eds) Data and Applications Security XVII. IFIP International Federation for Information Processing, vol 142. Springer, Boston, MA. https://doi.org/10.1007/1-4020-8070-0_15
Download citation
DOI: https://doi.org/10.1007/1-4020-8070-0_15
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4020-8069-2
Online ISBN: 978-1-4020-8070-8
eBook Packages: Springer Book Archive