110 likes | 280 Views
S/MIME Certificate Collector. Motivation Proposed Solution Discussion. Situation Today. LDAP directories accepted as PKIX repository but... no globally working directory infrastructure 1 LDAP hidden behind organizational boundaries different ways for storing certificates in directory
E N D
S/MIME Certificate Collector • Motivation • Proposed Solution • Discussion
Situation Today LDAP directories accepted as PKIX repository but... • no globally working directory infrastructure 1 LDAP hidden behind organizational boundaries • different ways for storing certificates in directory 1 E-Mail certificates are usually distributed via S/MIME (in-band) or HTTP (out-of-band) 1 no easy-to-use standard way for search & retrieval
Dealing With Local Directories Accept existence of organizational directories as is: • Local naming conventions1 Naming transformation subject DN to LDAP DN1 Plug-ins • Access control (administration and firewalls)1 use widely accepted transport protocol crossing org. boundaries 1 SMTP • Storage schemes (often depending on PKI products)1 Plug-ins
Why S/MIME e-mails? • SMTP is widely deployed protocol and crosses organizational boundaries like firewalls easily • S/MIME implemented in commonly deployed MUAs • Signed S/MIME e-mails contain sender's certificate (if configured) • Sender "publishes" his/her certificate by sending signed e-mail to certain e-mail address
Privacy • Adding his/her certificate has to be intention of user • User himself/herself publishes by sending e-mail to a certain address • Signature has to be validated, maybe From: header in the signed body • Privacy requirements have to be met by organizational directory
Access Control • Possibly data is reviewed by local directory administrator before being added • Signature has to be validated against trusted root certificate • Access control within organizational directory is subject of directory's configuration
Directory Access • Directly write to LDAP directory • Add new entries if necessary • Modify existing entries (e.g. search by e-mail address) • Write data for review and bulk upload (LDIF, DSML) • Write replication log • How's data removed?
What it is, what it is not It is a • practical solution for a common problem • a flexible tool It's not a • complete replacement for a global directory infrastructure • mail2ldap gateway • coffee machine
Discussion • User acceptance? • Required features? • Security aspects? • Privacy aspects?