A new on-line certificate validation method using LDAP component matching technology

Abstract

This paper presents a new on-line certificate validation method which provides higher degree of security, scalability, and interoperability than do the pre-existing approaches. It combines two basic data structures for certificate revocation, Certificate Revocation List (CRL) and the authenticated dictionary such as Certificate Revocation Tree (CRT), into a single framework by utilizing the component matching enabled Lightweight Directory Access Protocol (LDAP) service. With the new method, end entities that want to check the validity of certificates can request an extended LDAP search operation with a component matching assertion against all revoked certificate components in a CRL and check whether a revoked certificate having the asserted serial number is found. In order to ensure strong security without requiring trusted directories, CRLs are represented as an authenticated dictionary when decoded from Distinguished Encoding Rules (DER) to an internal ASN.1 representation. The information required to construct the authenticated dictionary is conveyed from the Certificate Authority (CA) via a new CRL extension. The proposed method facilitates a number of advantages over the previous approaches like Online Certificate Status Protocol (OCSP): 1) it enables higher security because it does not require trusted entities other than the CA such as trusted LDAP servers and trusted OCSP responders; 2) it improves scalability and performance because it does not require responses to be signed as in OCSP; 3) it can interoperate well with the existing CRL framework; and 4) it does not need support for additional protocols for on-line certificate validation because it is built on LDAP which is the main access method to download CRLs. The proposed method can also be used as a CRL backend of OCSP to offload CRL management and to enhance its trust model. © 2005 IEEE.