Article

Secure and flexible certificate access in WS-security through LDAP component matching

Authors:

Sang Seok Lim,

Jong Hyuk Choi,

Kurt D. ZeilengaAuthors Info & Claims

SWS '04: Proceedings of the 2004 workshop on Secure web service

Pages 87 - 96

https://doi.org/10.1145/1111348.1111358

Published: 29 October 2004 Publication History

Get Access

Abstract

As an integral part of the Web Services Security (WS-Security), directory services are used to store and access X.509 certificates. Lightweight Directory Access Protocol (LDAP) is the predominant directory access protocol for the Internet, and hence for the Web services. Values of LDAP attribute and assertion value syntaxes, though defined using ASN.1, are encoded in simple octet string formats which generally do not preserve the complete structure of the abstract values. As a result, LDAP matching rules for certificates need to be provided in a certificate-syntax specific way, while X.500 matching rules can be constructed from structured ASN.1 syntax definition. Moreover, LDAP has traditionally lacked the capability to make assertions against components of values of complex syntaxes such as X.509 certificates. The WS-Security needs to be able to locate a target X.509 certificate by matching against arbitrary certificate components in its security token references. Therefore, WS-Security requires the directory server to be prepared with all the possible matching functions for maximum flexibility. This is very cumbersome due to the lack of ASN.1 awareness in LDAP server implementations. This led to development of remedies such as the recently proposed Certificate Parsing Server (XPS). XPS extracts relevant components of the certificate and stores them in separate and searchable attributes. Due to the significant downside of these remedies, we decided to seek after an ASN.1 based Component Matching alternative in an attempt to make an LDAP directory server ASN.1 aware. With Component Matching and ASN.1 awareness, LDAP can provide WS-Security with various matching rules flexibly. In this paper, we describe our implementation of the Component Matching and ASN.1 awareness in OpenLDAP Software. This paper will also describe the use of the Component Matching technology in various security components of Web Services, especially in the context of WS-Security and XKMS. The experimental results show that flexible and secure certificate access can be accomplished without sacrificing performance and manageability.

References

[1]

D. Box and D. Ehne. Simple object access protocol (SOAP). W3C Note, May 2000.

Abstract

References

Cited By

Index Terms

Recommendations

Design, implementation, and performance analysis of PKI certificate repository using LDAP Component Matching

Life-cycle management of X.509 certificates based on LDAP directories

Instant certificate revocation and publication using WebDAV

Comments

Information

Published In

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Login options

Full Access

View options

PDF

eReader

Share

Share this Publication link

Share on social media

Affiliations