Presentation is loading. Please wait.

Presentation is loading. Please wait.

LDAP Items

Published byQuentin Joseph Modified over 9 years ago

Similar presentations

Presentation on theme: "LDAP Items"— Presentation transcript:

1 LDAP Items d.w.chadwick@salford.ac.uk Peter.Gietz@daasi.de

2 Contents LDAPv3 Profile New strings for RDNs LDAP schema for attribute extraction LDAPv3 protocol update LDAP schema for component matching Finding the LDAP server of a subject ;binary

3 LDAPv3 Profile issued in January 2002 No comments received except from Microsoft that does not support multi- attributes in RDNs. This feature is currently mandatory in the profile.

4 New strings for RDNs Update sent to the ID editor but 10 minutes late, so bounced. Will be resubmitted next week String X.500/LDAP AttributeType SERIALNUMBER serialNumber ADDR postalAddress PSEUDO pseudonym GN givenName SN surname MAIL mail/rfc822Mailbox PI permanentIdentifier X509SN x509serialNumber ISSUER x509issuer ISSUERSN x509issuerSerial UPDATE x509crlThisUpdate

5 LDAP Schema for Attribute Extraction LDAP directory CA/AA Search for Att 1.. Att i Return X.509 attribute XPS server Att1, Att2…Att n + [ ]

6 LDAP Schema for Attribute Extraction Revised IDs issued for certificates, CRLs and attribute certs Issue: whether the attribute for the binary cert/CRL should have a different attribute type in the child entry (in PKC it is different, in CRL and AC it is not) Issue: How much information to store from a CRLDP – just the URI of the full CRL or all general names plus reasons, issuers and relative name Issue: PKC schema has not added AA Controls extension from AC profile – should it? Issue: The attribute types defined in AC profile are not defined by LDAP (and cant be supported “as is” due to their complex syntax). The Klasen draft needs to become a full PKIX draft (the reason it did not this time was due to cut off dates)

7 Changes to PKC –03 draft Changed Matching Rules from caseIgnoreMatch to caseIgnoreIA5Match moved the references to RFC 3280 from the DESC part of the attribute definition to the text added some additional text about CIP in Introduction reworded text in Section 4.1.7 on Subject public key info algorithm to: „ OID identifying the algorithm associated with the certified public key“

8 Changes to PKC –03 draft contd. changed x509userCert and x509caCert to be inherited from userCertificate and caCertificate respectively added clarification about x509subject and subject alternative names in section Section 4.5 added attribute type x509issuerSerial to x509PKC object class added attribute type x509basicConstraintsCa to x509PKC object class renamed attributetype 509cRLDistributionPointURI to x509FullcRLDistributionPointURI

9 Changes to PKC –03 draft contd. devided references in normative and non normative deleted attributetype mail from x509PKC objectclass created separate Name Forms for 509userCertificate and x509caCertificate object classes changed attributetype x509SerialNumber to MULTI-VALUE adjusted examples to new schema Fixed more typos

10 Still todo Include AAcontrol extension from RFC 3281 into X509-PKC objectclass Add new auxiliary object class for qualified certificates (draft-ietf-pkix-sonof3039-00.txt) –What is the status of that draft? IANA considerations Resolve the issues with the AC and CRL draft

11 LDAPv3 Protocol Update Protocol is currently proposed standard but draft standard is in preparation ;binary has been removed from latest revision Probably will be added as an extension to LDAPv3 (Steven Legg ID) But this currently gives PKIX users a problem Chairs decided to ballot PKIX members on which LDAP they use and how

12 LDAPv3 Schema for Component Matching Separated into two IDs – PKI schema and PMI schema PKI schema has defined a native LDAP encoding for PKI attributes, which is bitwise identical to the ;binary encodings of the current LDAPv3 proposed standard Also added back the simple encoding for exact matching (from first ID) that is now implemented in OpenLDAP PKI schema is now finished (apart from ;binary issue) PMI schema needs a bit more work on it

13 LDAPv3 Any Other Issues There is currently no direct way for the recipient of a user certificate to find out where other certificates for the same user might be found The AIA and SIA do not provide this functionality ID has been written which defines a new Subject Certificate Access extension, and will be submitted next week Alternative would be to add a new value for SIA (or AIA) that points to the location(s) of the subject’s cert

Download ppt "LDAP Items"

Similar presentations

RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.

RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.
CRL Processing Rules Santosh Chokhani November 2004.

CRL Processing Rules Santosh Chokhani November 2004.
Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.
Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.

Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Review of draft-ietf-sidr-arch-01.txt Steve Kent BBN Technologies.

Review of draft-ietf-sidr-arch-01.txt Steve Kent BBN Technologies.
MPKI Interoperability I-D ChangeLog from -01 to -02 Jan 16, 2004 Masaki SHIMAOKA SECOM Trust.net.

MPKI Interoperability I-D ChangeLog from -01 to -02 Jan 16, 2004 Masaki SHIMAOKA SECOM Trust.net.
MPKI Interoperability I-D ChangeLog from -00 to -01 Oct 27, 2003 Masaki SHIMAOKA SECOM Trust.net.

MPKI Interoperability I-D ChangeLog from -00 to -01 Oct 27, 2003 Masaki SHIMAOKA SECOM Trust.net.
Make Secure Information Sharing (SIS) Easy and an Reality C. Edward Chow, PI Osama Khaleel Bill Kretschmer C. Edward Chow, PI Osama Khaleel Bill Kretschmer.

Make Secure Information Sharing (SIS) Easy and an Reality C. Edward Chow, PI Osama Khaleel Bill Kretschmer C. Edward Chow, PI Osama Khaleel Bill Kretschmer.
Wednesday, June 03, 2015 © 2001 TrueTrust Ltd1 PERMIS PMI David Chadwick.

Wednesday, June 03, 2015 © 2001 TrueTrust Ltd1 PERMIS PMI David Chadwick.
Use of AIA for Attribute Certificates

Use of AIA for Attribute Certificates
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.
Certificate Path Building draft-ietf-pkix-certpathbuild-01.txt Peter Hesse Matt Cooper Yuriy Dzambasow Susan Joseph Richard Nicholas.

Certificate Path Building draft-ietf-pkix-certpathbuild-01.txt Peter Hesse Matt Cooper Yuriy Dzambasow Susan Joseph Richard Nicholas.
14 May 2002© 2000-02 TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
Configuration Management Supplement 67 Robert Horn, Agfa Healthcare.

Configuration Management Supplement 67 Robert Horn, Agfa Healthcare.
Online AAI José A. Montenegro GISUM Group Security Information Section University of Malaga Malaga (Spain) Web:

Online AAI José A. Montenegro GISUM Group Security Information Section University of Malaga Malaga (Spain) Web:
Directories and PKI Keith Hazelton Senior IT Architect, UW-Madison PKI Summit, Snowmass, 9-Aug-01.

Directories and PKI Keith Hazelton Senior IT Architect, UW-Madison PKI Summit, Snowmass, 9-Aug-01.
Method of Converting Resource definitions into XSD Group Name: WG3 (PRO) Source: Shingo Fujimoto, FUJITSU, Meeting Date:

Method of Converting Resource definitions into XSD Group Name: WG3 (PRO) Source: Shingo Fujimoto, FUJITSU, Meeting Date:
INFORMATION FOR NETWORK OPERATION. CONTENT Directory service Standard X.500 LDAP.

INFORMATION FOR NETWORK OPERATION. CONTENT Directory service Standard X.500 LDAP.
Requirements for DSML 2.0. Summary RFC 2251 fidelity Represent existing directory protocols with new transport syntax Backwards compatibility with DSML.

Requirements for DSML 2.0. Summary RFC 2251 fidelity Represent existing directory protocols with new transport syntax Backwards compatibility with DSML.

Similar presentations

Ads by Google