Abstract. We present a framework for extending the functionality of LDAP servers from their typical use as a public directory in public key infrastructures. In this framework the LDAP servers are used for administrating infrastructure processes. One application of this framework is a method for providing proof-of-possession, especially in the case of encryption keys. Another one is the secure delivery of software personal security environments.
Companies and organizations employ PKI technology to secure the communication in their intranets and over the internet. The services of authentication, non-repudiation, condentiality and the transport of authorization information are often supported by X.509 certicates. The synchronization of the certicates' life-cycle with the management of the PKI users is a common problem. We propose a mechanism to achieve this synchronization based on directory services. This enables to transparently update the information provided by the PKI and offers a high potential for automation. The mechanism spares personnel and is less error-prone, since it relies on processes and data that are already established. It reduces the costs to bootstrap and operate the infrastructure. We show a case study on the proposed mechanism that was conducted at the Technische Universität Darmstadt in Germany in order to supply 20,000 students with certicates and keys.
The Server-Based Certificate Validation Protocol allows PKI clients to delegate to a server the construction or validation of certification paths. The protocol's specification focuses on the communication between the server and the client and its security. It does not discuss how the servers can efficiently locate the necessary PKI resources like certificate or certificate revocation lists. In this paper we concentrate on this topic. We present a simple and effective method to facilitate locating and using various PKI resources by the servers, without modifying the protocol. We use the extension mechanism of the protocol for notifying the servers about PKI repositories, certificates, and revocations. We specify the tasks of the servers and certificate issuers and define the messages that are exchanged between them. A proof of concept is given by implementing an SCVP server, a client, and the proposed method in Java.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.