Using LDAP Directories for Management of PKI Processes

Abstract: Abstract. We present a framework for extending the functionality of LDAP servers from their typical use as a public directory in public key infrastructures. In this framework the LDAP servers are used for administrating infrastructure processes. One application of this framework is a method for providing proof-of-possession, especially in the case of encryption keys. Another one is the secure delivery of software personal security environments.

“…This assures that a certicate cannot be used before the entity has updated its local data. The process can be enhanced to an indirect proof-of-possession as described in [8], if the entity's key-pair can be used for encryption. In this case the certicate would not be put in the attribute hiddenUserCertificate, but be encrypted with the contained public key and written to userEncryptedCertificate.…”

“…It allows them to download the certicates from the LDAP, store them on the smart card and write them back to the userCertificate attribute. The application supports proof-ofpossession by using the userEncryptedCertificate attribute as proposed in [8].…”

“…In this context they are used for publishing certicates and certicate revocation information. We show in [8] how LDAP directories can support two important PKI functions. One is to provide a proof-of-possession for keys that can be used only for encryption.…”

“…The progress of each operation is reected by the LDAP and thus it is visible to trust center operators as well as to entities. The mechanism can further be combined with the proof-of-possession described in [8]. This work has rst been presented at the 4th International Workshop for applied PKI (IWAP'05) [13].…”

“…The trust center must therefore be able to accept the respective data format, e.g. PKCS#10[15], or perform an indirect proof-of-possession as described in[8].3. The trust center generates the key-pair and ships it as a softtoken.…”

Life-cycle management of X.509 certificates based on LDAP directories

“…This assures that a certicate cannot be used before the entity has updated its local data. The process can be enhanced to an indirect proof-of-possession as described in [8], if the entity's key-pair can be used for encryption. In this case the certicate would not be put in the attribute hiddenUserCertificate, but be encrypted with the contained public key and written to userEncryptedCertificate.…”

“…It allows them to download the certicates from the LDAP, store them on the smart card and write them back to the userCertificate attribute. The application supports proof-ofpossession by using the userEncryptedCertificate attribute as proposed in [8].…”

“…In this context they are used for publishing certicates and certicate revocation information. We show in [8] how LDAP directories can support two important PKI functions. One is to provide a proof-of-possession for keys that can be used only for encryption.…”

“…The progress of each operation is reected by the LDAP and thus it is visible to trust center operators as well as to entities. The mechanism can further be combined with the proof-of-possession described in [8]. This work has rst been presented at the 4th International Workshop for applied PKI (IWAP'05) [13].…”

“…The trust center must therefore be able to accept the respective data format, e.g. PKCS#10[15], or perform an indirect proof-of-possession as described in[8].3. The trust center generates the key-pair and ships it as a softtoken.…”

Life-cycle management of X.509 certificates based on LDAP directories