ABSTRACT
As an integral part of the Web Services Security (WS-Security), directory services are used to store and access X.509 certificates. Lightweight Directory Access Protocol (LDAP) is the predominant directory access protocol for the Internet, and hence for the Web services. Values of LDAP attribute and assertion value syntaxes, though defined using ASN.1, are encoded in simple octet string formats which generally do not preserve the complete structure of the abstract values. As a result, LDAP matching rules for certificates need to be provided in a certificate-syntax specific way, while X.500 matching rules can be constructed from structured ASN.1 syntax definition. Moreover, LDAP has traditionally lacked the capability to make assertions against components of values of complex syntaxes such as X.509 certificates. The WS-Security needs to be able to locate a target X.509 certificate by matching against arbitrary certificate components in its security token references. Therefore, WS-Security requires the directory server to be prepared with all the possible matching functions for maximum flexibility. This is very cumbersome due to the lack of ASN.1 awareness in LDAP server implementations. This led to development of remedies such as the recently proposed Certificate Parsing Server (XPS). XPS extracts relevant components of the certificate and stores them in separate and searchable attributes. Due to the significant downside of these remedies, we decided to seek after an ASN.1 based Component Matching alternative in an attempt to make an LDAP directory server ASN.1 aware. With Component Matching and ASN.1 awareness, LDAP can provide WS-Security with various matching rules flexibly. In this paper, we describe our implementation of the Component Matching and ASN.1 awareness in OpenLDAP Software. This paper will also describe the use of the Component Matching technology in various security components of Web Services, especially in the context of WS-Security and XKMS. The experimental results show that flexible and secure certificate access can be accomplished without sacrificing performance and manageability.
- D. Box and D. Ehne. Simple object access protocol (SOAP). W3C Note, May 2000.Google Scholar
- D. W. Chadwick. Deficiencies in LDAP when used to support PKI. Comm. of the ACM, 46(3), March 2003. Google ScholarDigital Library
- D. W. Chadwick, E. Ball, and M. Sahalayev. Modifying LDAP to support x.509-based PKIs. In 17th Annual IFIP WG 11.3 Working Conference on Database and Applications Security, August 2003.Google Scholar
- W. Ford and D. Solo. Internet x.509 public key infrastructure certificate and certificate revocation list (CRL) profile. RFC 3280, 2002.Google Scholar
- J. Hodges, R. Morgan, and M. Wahl. Lightweight directory access protocol (v3): Technical specification. RFC 3377, September 2002. Google ScholarDigital Library
- R. Housley, W. Ford, W. Polk, and D. Solo. Internet X.509 public key infrastructure certificate and CRL profile. RFC 2459, January 1999. Google ScholarDigital Library
- ITU-T Rec. X.511, The directory: Abstract service definition, 1993.Google Scholar
- ITU-T Rec. X.690, ASN.1 encoding rules: Specification of basic encoding rules (BER), canonical encoding rules (CER), and distinguished encoding rules (DER), 1994.Google Scholar
- ITU-T Rec. X.680, Abstract syntax notation one (ASN.1): Specification of basic notation, December 1997.Google Scholar
- ITU-T Rec. X.509, The directory: Public-key and attribute certificate frameworks, March 2000.Google Scholar
- ITU-T Rec. X.500, The directory: Overview of concepts, models and service, February 2001.Google Scholar
- R. Joop. Snacc 1.2rj. http://www.fokus.gmd.de/ovma/freeware/snacc/entry.html.Google Scholar
- A. Krennmair and R. Lischka. Testing OpenLDAP server, March 2004.Google Scholar
- S. Legg. Generic string encoding rules. RFC 3641, October 2003. Google ScholarDigital Library
- S. Legg. X.500 and LDAP component matching rules. RFC 3687, February 2004.Google Scholar
- M. Myers, R. Ankney, A. Malpani, and C. Adams. Internet X.509 public key infrastructure online certificate status protocol - OCSP. RFC 2560, June 1999. Google ScholarDigital Library
- OASIS. Web services security: SOAP message security 1.0 (WS-Security 2004). OASIS Standard 200401, March 2004.Google Scholar
- OASIS. Web services security: X.509 certificate token profile. OASIS Standard 200401, January 2004.Google Scholar
- The Unicode Consortium. The Unicode Standard, Version 4.0. Addison- Wesley, Boston, 2003.Google Scholar
- W3C. XML key management specification (XKMS). W3C Standard, March 2001.Google Scholar
- W3C. XML - signature syntax and processing. W3C Standard, February 2002.Google Scholar
- F. Yergeau. UTF-8, a transformation format of ISO 10646. RFC 3629, November 2003. Google ScholarDigital Library
Index Terms
- Secure and flexible certificate access in WS-security through LDAP component matching
Recommendations
Design, implementation, and performance analysis of PKI certificate repository using LDAP Component Matching
The X.509 certificate stored in a Lightweight Directory Access Protocol (LDAP) certificate repository requires secure and flexible means to make assertions against its component values such as the identity of its owner, issuer, and the intended usage of ...
Life-cycle management of X.509 certificates based on LDAP directories
On IWAP'05Companies and organizations employ PKI technology to secure the communication in their intranets and over the internet. The services of authentication, non-repudiation, confidentiality and the transport of authorization information are often supported ...
Instant certificate revocation and publication using WebDAV
The 2007 European PKI Workshop: Theory and Practice (EuroPKI'07)There are several problems associated with the current ways that certificates are published and revoked. This paper discusses these problems, and then proposes a solution based on the use of WebDAV, an enhancement to the HTTP protocol. The proposed ...
Comments