Certification Path Building

Question 1

LDAP

Answer 1

• Offers various sand flexible solutions
• Collection of open source systems cooperating to provide directory services
• Directory accessed through a client

Question 2

LDAP Data Model

Answer 2

• Data is stored as entries
• Every entry has a unique identifier (DN)
  -> Entry’s DN = its Relative DN + parent entry’s DN
  -> Usually the subjectDN of an X.509 certificate matches the DN of the LDAP
• Every entry has one or more attributes
• Every attribute has a name (type) and one or more values

Question 3

LDAP Security

Answer 3

• Enable TLS/SSL -> LDAPS
  -> Network Security
  -> Identify the server
  -> Client authentication
• Authentication: Simple, SASL, TLS

Question 4

Certification Path Building

Answer 4

• Guidance and recommendations to developers building X.509 certification paths
• Criterion 1: The implementation is able to find all possible paths, excepting paths containing repeated subject name/public key pairs
• Criterion 2: The implementation is as efficient as possible. An efficient certification path-building implementation is defined to be one that builds paths that are more likely to validate following RFC 5280, before building paths that are not likely to validate

Question 5

Server-Based Certificate Validation Protocol

Answer 5

• Allows:
  -> Delegation of certification path construction and validation to a server
  -> Simplification of client implementations
  -> Use of a set of predefined validation policies

Question 6

Forward search

Answer 6

• Start with the end entity certificate
• Only use certificates found in
  -> caCertificate attributes
  -> forward (issuedToThisCA) element of the crossCertificatePair attributes
• Recommendation: Disallow repeated subject name/public key pairs