Design, implementation, and performance analysis of PKI certificate repository using LDAP component matching

Abstract

The X.509 certificate stored in a Lightweight Directory Access Protocol (LDAP) certificate repository requires secure and flexible means to make assertions against its component values such as the identity of its owner, issuer, and the intended usage of the public key contained therein. LDAP has traditionally lacked this ability because its string-based encodings do not have a standardized way of carrying structural information of complex syntaxes as in X.500. The traditional remedies to this limitation are (1) to provide certificate-specific matching for a limited set of components and their combinations and (2) to extract and store the certificate components in separate searchable attributes. Neither of these remedies is considered complete, because the former lacks flexibility while the latter heightens complexity in managing the integrity of the certificate repository and doubles storage requirements. Owing to the significant downside of these remedies, we investigate the possibility of an Abstract Syntax Notation One-based Component Matching alternative. In this paper, we present (1) the design and implementation of the LDAP Component Matching for an OpenLDAP directory server to facilitate its use as the certificate repository in Public Key Infrastructure (PKI), (2) various optimization mechanisms to increase the performance of the Component Matching and their implementation in OpenLDAP, and (3) the detailed performance analysis of the LDAP directory server as a certificate repository in comparison with the traditional certificate-specific matching and the attribute extraction approaches. We show that Component Matching, if equipped with the optimization techniques proposed in this paper, outperforms the traditional approaches. Copyright © 2007 John Wiley & Sons, Ltd.