Скачать презентацию LDAP for PKI d w chadwick salford ac uk Скачать презентацию LDAP for PKI d w chadwick salford ac uk

b8cf2077a8128bf4ba87cbf27f2ded2c.ppt

  • Количество слайдов: 12

LDAP for PKI d. w. chadwick@salford. ac. uk LDAP for PKI d. w. chadwick@salford. ac. uk

Problems • Cannot search for particular certificates or CRLs • Cannot retrieve particular certificates Problems • Cannot search for particular certificates or CRLs • Cannot retrieve particular certificates or CRLs

Today’s Hacks • For Searching – Pull out fields from certificates and create separate Today’s Hacks • For Searching – Pull out fields from certificates and create separate attributes – Search for the attributes – Retrieve the certificates from the same entry and hope they are the ones you want • For Retrieving – Create separate attribute types e. g. enc. Certificate, user. Certificate – Create separate entries e. g. CN=David Chadwick (Enc) – Create separate subtrees e. g. OU=Encryption – Create child entries holding different certificates

Tomorrow’s Solutions • For Searching – Use the LDAPv 3 Schema – <draft-pkix-ldap-schema-01. txt> Tomorrow’s Solutions • For Searching – Use the LDAPv 3 Schema – • For Retrieving – Use the Matched Values LDAPv 3 extension – • Overall – Use the LDAPv 3 Profile for PKI –

LDAPv 3 Schema • New LDAP Matching Rules - taken from X. 509 (2001) LDAPv 3 Schema • New LDAP Matching Rules - taken from X. 509 (2001) – Certificate Equality Match – Certificate flexible matching – CRL Equality Match – CRL flexible matching – Rules for Attribute Certificates

Certificate Equality Match • User provides – Certificate Serial Number and – Issuer Name Certificate Equality Match • User provides – Certificate Serial Number and – Issuer Name

Certificate Match • User provides any of the following – Certificate Serial Number – Certificate Match • User provides any of the following – Certificate Serial Number – Issuer Name – Subject Key ID – Authority Key ID – Certificate Validity Time – Private Key Validity Time – Subject Public Key Algorithm ID – Key Usage – Subject Name – Subject Alternative Name Type – Certificate Policy OID – Name Constraints – “To” name for certificate path

CRL Equality Match • User provides the following – CRL issuer name – Issuing CRL Equality Match • User provides the following – CRL issuer name – Issuing time (this update) – Optionally the distribution point (R)DN

CRL Match • User provides any of the following – CRL issuer name – CRL Match • User provides any of the following – CRL issuer name – minimum CRL number – maximum CRL number – reason for revocation – time of revocation – distribution point of CRL – authority key ID

Attribute Certificate Schema • Attribute certificate exact match • Attribute certificate flexible match • Attribute Certificate Schema • Attribute certificate exact match • Attribute certificate flexible match • Separate matching rules for 10 extensions

Matched Values • Values. Return. Filter control comprising • Sequence of Simple Filters • Matched Values • Values. Return. Filter control comprising • Sequence of Simple Filters • Control is applied after Search Filter has selected the entries • Only attribute values that match one of the Simple Filters are returned • Now ready for Last Call in LDAPExt

LDAPv 3 Profile • Says what features of LDAPv 3 MUST, MAY or DO LDAPv 3 Profile • Says what features of LDAPv 3 MUST, MAY or DO NOT NEED to be supported • E. g. Mandates use of Alt. Server in root DSE (even if it points to itself)