Presentation is loading. Please wait.

Presentation is loading. Please wait.

LDAP for PKI Problems Cannot search for particular certificates or CRLs Cannot retrieve particular certificates or CRLs.

Similar presentations


Presentation on theme: "LDAP for PKI Problems Cannot search for particular certificates or CRLs Cannot retrieve particular certificates or CRLs."— Presentation transcript:

1 LDAP for PKI d.w.chadwick@salford.ac.uk

2 Problems Cannot search for particular certificates or CRLs Cannot retrieve particular certificates or CRLs

3 Today’s Hacks For Searching –Pull out fields from certificates and create separate attributes –Search for the attributes –Retrieve the certificates from the same entry and hope they are the ones you want For Retrieving –Create separate attribute types e.g. encCertificate, userCertificate –Create separate entries e.g. CN=David Chadwick (Enc) –Create separate subtrees e.g.OU=Encryption –Create child entries holding different certificates

4 Tomorrow’s Solutions For Searching –Use the LDAPv3 Schema – For Retrieving –Use the Matched Values LDAPv3 extension – Overall –Use the LDAPv3 Profile for PKI –

5 LDAPv3 Schema New LDAP Matching Rules - taken from X.509 (2001) –Certificate Equality Match –Certificate flexible matching –CRL Equality Match –CRL flexible matching –Rules for Attribute Certificates

6 Certificate Equality Match User provides - –Certificate Serial Number and –Issuer Name

7 Certificate Match User provides any of the following –Certificate Serial Number –Issuer Name –Subject Key ID –Authority Key ID –Certificate Validity Time –Private Key Validity Time –Subject Public Key Algorithm ID –Key Usage –Subject Name –Subject Alternative Name Type –Certificate Policy OID –Name Constraints –“To” name for certificate path

8 CRL Equality Match User provides the following –CRL issuer name –Issuing time (this update) –Optionally the distribution point (R)DN

9 CRL Match User provides any of the following –CRL issuer name –minimum CRL number –maximum CRL number –reason for revocation –time of revocation –distribution point of CRL –authority key ID

10 Attribute Certificate Schema Attribute certificate exact match Attribute certificate flexible match Separate matching rules for 10 extensions

11 Matched Values ValuesReturnFilter control comprising Sequence of Simple Filters Control is applied after Search Filter has selected the entries Only attribute values that match one of the Simple Filters are returned Now ready for Last Call in LDAPExt

12 LDAPv3 Profile Says what features of LDAPv3 MUST, MAY or DO NOT NEED to be supported E.g. Mandates use of AltServer in root DSE (even if it points to itself)


Download ppt "LDAP for PKI Problems Cannot search for particular certificates or CRLs Cannot retrieve particular certificates or CRLs."

Similar presentations


Ads by Google