LDAP Items

Slides:



Advertisements
Similar presentations
RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.
Advertisements

CRL Processing Rules Santosh Chokhani November 2004.
Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.
Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Review of draft-ietf-sidr-arch-01.txt Steve Kent BBN Technologies.
MPKI Interoperability I-D ChangeLog from -01 to -02 Jan 16, 2004 Masaki SHIMAOKA SECOM Trust.net.
MPKI Interoperability I-D ChangeLog from -00 to -01 Oct 27, 2003 Masaki SHIMAOKA SECOM Trust.net.
Make Secure Information Sharing (SIS) Easy and an Reality C. Edward Chow, PI Osama Khaleel Bill Kretschmer C. Edward Chow, PI Osama Khaleel Bill Kretschmer.
Wednesday, June 03, 2015 © 2001 TrueTrust Ltd1 PERMIS PMI David Chadwick.
Use of AIA for Attribute Certificates
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.
Certificate Path Building draft-ietf-pkix-certpathbuild-01.txt Peter Hesse Matt Cooper Yuriy Dzambasow Susan Joseph Richard Nicholas.
14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
Configuration Management Supplement 67 Robert Horn, Agfa Healthcare.
Online AAI José A. Montenegro GISUM Group Security Information Section University of Malaga Malaga (Spain) Web:
Directories and PKI Keith Hazelton Senior IT Architect, UW-Madison PKI Summit, Snowmass, 9-Aug-01.
Method of Converting Resource definitions into XSD Group Name: WG3 (PRO) Source: Shingo Fujimoto, FUJITSU, Meeting Date:
INFORMATION FOR NETWORK OPERATION. CONTENT Directory service Standard X.500 LDAP.
Requirements for DSML 2.0. Summary RFC 2251 fidelity Represent existing directory protocols with new transport syntax Backwards compatibility with DSML.
RFC 3039 bis Qualified Certificates Profile Changes from RFC 3039.
LDAP: Information Model Part 2 CNS 4650 Fall 2004 Rev. 2.
23/4/2001LDAP Overview - HEPix - LAL 2001 LDAP Overview HEPix – LAL Apr Michel Jouvin
Certificate Retrieval from OpenLDAP The X.509 attribute Parsing Server (XPS)
Extending OpenLDAP Luke Howard PADL Software Pty Ltd Copyright © 2003 PADL Software Pty Ltd. All rights reserved. PADL is a registered trademark of PADL.
LDAP: LDIF & DSML Fall 2004 Rev. 2. LDIF Light-weight Data Interchange Format RFC 2849 Common format to exchange data entry schema.
July 27, 2009IETF NEA Meeting1 NEA Working Group IETF 75 Co-chairs: Steve Hanna
KMIP 1.3 Deprecation February 20, Deprecation 5.1 KMIP Deprecation Rule Items in the normative KMIP Specification [KMIP-Spec] document can be marked.
CDB Chris Bonatti (IECA, Inc.) Tel: (+1) Proposed PKI4IPSEC Certificate Management Requirements Document IETF #59 – PKI4IPSEC Working.
1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.
4395bis irireg Tony Hansen, Larry Masinter, Ted Hardie IETF 82, Nov 16, 2011.
LDAP: Accessing Operational Information CNS 4650 Fall 2004 Rev. 2.
26 July 2007IETF 69 PKIX1 Use of WebDAV for Certificate Publishing and Revocation
3280bis David Cooper. Changes Since Draft 02 ● Section 1 (Introduction): Replaced text highlighting changes between RFC 2459 and 3280 with text highlighting.
UTF8String Deployment Status and Migration Plan Akira KANAOKA Challenge PKI Project Japan Network Security Association Sponsored by IT Promotion Agency,
29 October 2001Terena TF-LSD1 Certificate Retrieval With OpenLDAP David Chadwick.
JOSE Working Group 7 November 2013, PST IETF 88 Vancouver.
Some Technical Issues in PKI Deployment David Chadwick
File: /ram/wgchairs.sxi Date: 7 January, 2016 Slide 1 Process and Tools (PROTO) Team General Area Meeting IETF59, Seoul, Korea -- March 2004
15 May 2001© 2001 University of Salford1 Deficiencies in LDAP when used to support Public Key Infrastructures David W Chadwick
SonOf3039 Status Russ Housley Security Area Director.
November 20, 2002IETF 55 - Atlanta1 VPIM Voice Profile for Internet Mail Mailing list: To subscribe: send.
Review on Active Directory. Aim Enable users to find network resources easily Central and easy administration of users and resources in a domain Improve.
Design Guidelines Thursday July 26, 2007 Bernard Aboba IETF 69 Chicago, IL.
Comments on draft-ietf-pkix-rfc3280bis-01.txt IETF PKIX Meeting Paris - August 2005 Denis Pinkas
IETF 65 – Lemonade – March 20, Lemonade Status Updates for IETF’65: Our Assigned drafts for Mar 20, 2006 WG session (*)
LDAP for PKI Problems Cannot search for particular certificates or CRLs Cannot retrieve particular certificates or CRLs.
1 Public Key Infrastructure Dr. Rocky K. C. Chang 25 February, 2002.
Keyprov PSKC spec Philip Hoyer 71-st IETF, Philadelphia.
Portable Symmetric Key Container (PSKC) Mingliang Pei Philip Hoyer Dec. 3, th IETF, Vancouver.
Keyprov PSKC spec Philip Hoyer 71-st IETF, Philadelphia.
S/MIME Capabilities Certificate Extension Stefan Santesson Microsoft.
SCVP-28 Tim Polk November 8, Current Status Draft -27 was submitted in June ‘06 –AD requested a revised ID 8/11 –No related discussion on list –Editors.
Discovery of CRL Signer Certificate Stefan Santesson Microsoft.
LDAP: Creating Object Classes and Attributes CNS 4650 Fall 2004 Rev. 2.
LDAP PKI and PMI Schemas
Public Key Infrastructure Using X.509 (PKIX) Working Group
Introduction to LDAP Frank A. Kuse.
ALTO Protocol draft-ietf-alto-protocol-14
Public Key Infrastructure Using X.509 (PKIX) Working Group
draft-ietf-geopriv-lbyr-requirements-02 status update
CTI TC Monthly Meeting Updates Session #1: 11:00 AM EST
News from the wonderful world of directories
LDAP – Light Weight Directory Access Protocol
Resource Certificate Profile
Architecture Competency Group
Recap At IETF 97 we presented the Voucher document for the first time as an ANIMA draft Bootstrapping Design team has met weekly since, about 50% discussion.
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006
Zero Touch Provisioning for NETCONF/RESTCONF Call Home draft-ietf-netconf-zerotouch-19 NETCONF WG IETF 100 (Singapore)
LDAP Standardization Report
Presentation transcript:

LDAP Items

Contents LDAPv3 Profile New strings for RDNs LDAP schema for attribute extraction LDAPv3 protocol update LDAP schema for component matching Finding the LDAP server of a subject ;binary

LDAPv3 Profile issued in January 2002 No comments received except from Microsoft that does not support multi- attributes in RDNs. This feature is currently mandatory in the profile.

New strings for RDNs Update sent to the ID editor but 10 minutes late, so bounced. Will be resubmitted next week String X.500/LDAP AttributeType SERIALNUMBER serialNumber ADDR postalAddress PSEUDO pseudonym GN givenName SN surname MAIL mail/rfc822Mailbox PI permanentIdentifier X509SN x509serialNumber ISSUER x509issuer ISSUERSN x509issuerSerial UPDATE x509crlThisUpdate

LDAP Schema for Attribute Extraction LDAP directory CA/AA Search for Att 1.. Att i Return X.509 attribute XPS server Att1, Att2…Att n + [ ]

LDAP Schema for Attribute Extraction Revised IDs issued for certificates, CRLs and attribute certs Issue: whether the attribute for the binary cert/CRL should have a different attribute type in the child entry (in PKC it is different, in CRL and AC it is not) Issue: How much information to store from a CRLDP – just the URI of the full CRL or all general names plus reasons, issuers and relative name Issue: PKC schema has not added AA Controls extension from AC profile – should it? Issue: The attribute types defined in AC profile are not defined by LDAP (and cant be supported “as is” due to their complex syntax). The Klasen draft needs to become a full PKIX draft (the reason it did not this time was due to cut off dates)

Changes to PKC –03 draft Changed Matching Rules from caseIgnoreMatch to caseIgnoreIA5Match moved the references to RFC 3280 from the DESC part of the attribute definition to the text added some additional text about CIP in Introduction reworded text in Section on Subject public key info algorithm to: „ OID identifying the algorithm associated with the certified public key“

Changes to PKC –03 draft contd. changed x509userCert and x509caCert to be inherited from userCertificate and caCertificate respectively added clarification about x509subject and subject alternative names in section Section 4.5 added attribute type x509issuerSerial to x509PKC object class added attribute type x509basicConstraintsCa to x509PKC object class renamed attributetype 509cRLDistributionPointURI to x509FullcRLDistributionPointURI

Changes to PKC –03 draft contd. devided references in normative and non normative deleted attributetype mail from x509PKC objectclass created separate Name Forms for 509userCertificate and x509caCertificate object classes changed attributetype x509SerialNumber to MULTI-VALUE adjusted examples to new schema Fixed more typos

Still todo Include AAcontrol extension from RFC 3281 into X509-PKC objectclass Add new auxiliary object class for qualified certificates (draft-ietf-pkix-sonof txt) –What is the status of that draft? IANA considerations Resolve the issues with the AC and CRL draft

LDAPv3 Protocol Update Protocol is currently proposed standard but draft standard is in preparation ;binary has been removed from latest revision Probably will be added as an extension to LDAPv3 (Steven Legg ID) But this currently gives PKIX users a problem Chairs decided to ballot PKIX members on which LDAP they use and how

LDAPv3 Schema for Component Matching Separated into two IDs – PKI schema and PMI schema PKI schema has defined a native LDAP encoding for PKI attributes, which is bitwise identical to the ;binary encodings of the current LDAPv3 proposed standard Also added back the simple encoding for exact matching (from first ID) that is now implemented in OpenLDAP PKI schema is now finished (apart from ;binary issue) PMI schema needs a bit more work on it

LDAPv3 Any Other Issues There is currently no direct way for the recipient of a user certificate to find out where other certificates for the same user might be found The AIA and SIA do not provide this functionality ID has been written which defines a new Subject Certificate Access extension, and will be submitted next week Alternative would be to add a new value for SIA (or AIA) that points to the location(s) of the subject’s cert

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.