LDAP for PKI

1
LDAP for PKI

• d.w.chadwick_at_salford.ac.uk

2
Problems

• Cannot search for particular certificates or CRLs
• Cannot retrieve particular certificates or CRLs

3
Todays Hacks

• For Searching
• Pull out fields from certificates and create
  separate attributes
• Search for the attributes
• Retrieve the certificates from the same entry and
  hope they are the ones you want
• For Retrieving
• Create separate attribute types e.g.
  encCertificate, userCertificate
• Create separate entries e.g. CNDavid Chadwick
  (Enc)
• Create separate subtrees e.g.OUEncryption
• Create child entries holding different
  certificates

4
Tomorrows Solutions

• For Searching
• Use the LDAPv3 Schema
• ltdraft-pkix-ldap-schema-01.txtgt
• For Retrieving
• Use the Matched Values LDAPv3 extension
• ltdraft-ldapext-matchedval-03.txtgt
• Overall
• Use the LDAPv3 Profile for PKI
• ltdraft-pkix-ldap-v3-03.txtgt

5
LDAPv3 Schema

• New LDAP Matching Rules - taken from X.509 (2001)
• Certificate Equality Match
• Certificate flexible matching
• CRL Equality Match
• CRL flexible matching
• Rules for Attribute Certificates

6
Certificate Equality Match

• User provides -
• Certificate Serial Number and
• Issuer Name

7
Certificate Match

• User provides any of the following
• Certificate Serial Number
• Issuer Name
• Subject Key ID
• Authority Key ID
• Certificate Validity Time
• Private Key Validity Time

• Subject Public Key Algorithm ID
• Key Usage
• Subject Name
• Subject Alternative Name Type
• Certificate Policy OID
• Name Constraints
• To name for certificate path

8
CRL Equality Match

• User provides the following
• CRL issuer name
• Issuing time (this update)
• Optionally the distribution point (R)DN

9
CRL Match

• User provides any of the following
• CRL issuer name
• minimum CRL number
• maximum CRL number
• reason for revocation
• time of revocation
• distribution point of CRL
• authority key ID

10
Attribute Certificate Schema

• Attribute certificate exact match
• Attribute certificate flexible match
• Separate matching rules for 10 extensions

11
Matched Values

• ValuesReturnFilter control comprising
• Sequence of Simple Filters
• Control is applied after Search Filter has
  selected the entries
• Only attribute values that match one of the
  Simple Filters are returned
• Now ready for Last Call in LDAPExt

12
LDAPv3 Profile

• Says what features of LDAPv3 MUST, MAY or DO NOT
  NEED to be supported
• E.g. Mandates use of AltServer in root DSE (even
  if it points to itself)