Secure and flexible certificate access in WS security through LDAP component matching

Abstract

As an integral part of the Web Services Security (WS-Securi ty), directory services are used to store and access X.509 certificates. Lightweight Directory Access Protocol (LDAP) is the predominant directory access protocol for the Internet, and hence for the Web services. Values of LDAP attribute and assertion value syntaxes, though defined using ASN.1, are encoded in simple octet string formats which generally do not preserve the complete structure of the abstract values. As a result, LDAP matching rules for certificates need to be provided in a certificate-syntax specific way, while X.500 matching rules can be constructed from structured ASN.1 syntax definition. Moreover, LDAP has traditionally lacked the capability to make assertions against components of values of complex syntaxes such as X.509 certificates. The WS-Security needs to be able to locate a target X.509 certificate by matching against arbitrary certificate components in its security token references. Therefore, WS-Security re- quires the directory server to be prepared with all the possible matching functions for maximum flexibility. This is very cumbersome due to the lack of ASN.1 awareness in LDAP server implementations. This led to development of remedies such as the recently proposed Certificate Parsing Server (XPS). XPS extracts relevant components of the certificate and stores them in separate and searchable attributes. Due to the significant downside of these remedies, we decided to seek after an ASN.1 based Component Matching alternative in an attempt to make an LDAP directory server ASN.1 aware. With Component Matching and ASN.1 awareness, LDAP can provide WS-Security with various matching rules flexibly. In this paper, we describe our implementation of the Component Matching and ASN.1 awareness in OpenL- DAP Software. This paper will also describe the use of the Component Matching technology in various security components of Web Services, especially in the context of WS- Security and XKMS. The experimental results show that flexible and secure certificate access can be accomplished without sacrificing performance and manageability.