Stroeder.COM TF-LSD Meeting S/MIME Certificate Collector Motivation Proposed Solution Discussion
Stroeder.COM TF-LSD Meeting Situation Today LDAP directories accepted as PKIX repository but... no globally working directory infrastructure 1 LDAP hidden behind organizational boundaries different ways for storing certificates in directory 1 certificates are usually distributed via S/MIME (in-band) or HTTP (out-of-band) 1 no easy-to-use standard way for search & retrieval
Stroeder.COM TF-LSD Meeting Situation Today
Stroeder.COM TF-LSD Meeting S/MIME Cert Collector
Stroeder.COM TF-LSD Meeting Dealing With Local Directories Accept existence of organizational directories as is: Local naming conventions 1 Naming transformation subject DN to LDAP DN 1 Plug-ins Access control (administration and firewalls) 1 use widely accepted transport protocol crossing org. boundaries 1 SMTP Storage schemes (often depending on PKI products) 1 Plug-ins
Stroeder.COM TF-LSD Meeting Why S/MIME s? SMTP is widely deployed protocol and crosses organizational boundaries like firewalls easily S/MIME implemented in commonly deployed MUAs Signed S/MIME s contain sender's certificate (if configured) Sender "publishes" his/her certificate by sending signed to certain address
Stroeder.COM TF-LSD Meeting Privacy Adding his/her certificate has to be intention of user User himself/herself publishes by sending to a certain address Signature has to be validated, maybe From: header in the signed body Privacy requirements have to be met by organizational directory
Stroeder.COM TF-LSD Meeting Access Control Possibly data is reviewed by local directory administrator before being added Signature has to be validated against trusted root certificate Access control within organizational directory is subject of directory's configuration
Stroeder.COM TF-LSD Meeting Directory Access Directly write to LDAP directory Add new entries if necessary Modify existing entries (e.g. search by address) Write data for review and bulk upload (LDIF, DSML) Write replication log How's data removed?
Stroeder.COM TF-LSD Meeting What it is, what it is not It is a practical solution for a common problem a flexible tool It's not a complete replacement for a global directory infrastructure mail2ldap gateway coffee machine
Stroeder.COM TF-LSD Meeting Discussion User acceptance? Required features? Security aspects? Privacy aspects?