1 / 11

S/MIME Certificate Collector

S/MIME Certificate Collector. Motivation Proposed Solution Discussion. Situation Today. LDAP directories accepted as PKIX repository but... no globally working directory infrastructure 1 LDAP hidden behind organizational boundaries different ways for storing certificates in directory

dcedric
Download Presentation

S/MIME Certificate Collector

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. S/MIME Certificate Collector • Motivation • Proposed Solution • Discussion

  2. Situation Today LDAP directories accepted as PKIX repository but... • no globally working directory infrastructure 1 LDAP hidden behind organizational boundaries • different ways for storing certificates in directory 1 E-Mail certificates are usually distributed via S/MIME (in-band) or HTTP (out-of-band) 1 no easy-to-use standard way for search & retrieval

  3. Situation Today

  4. S/MIME Cert Collector

  5. Dealing With Local Directories Accept existence of organizational directories as is: • Local naming conventions1 Naming transformation subject DN to LDAP DN1 Plug-ins • Access control (administration and firewalls)1 use widely accepted transport protocol crossing org. boundaries 1 SMTP • Storage schemes (often depending on PKI products)1 Plug-ins

  6. Why S/MIME e-mails? • SMTP is widely deployed protocol and crosses organizational boundaries like firewalls easily • S/MIME implemented in commonly deployed MUAs • Signed S/MIME e-mails contain sender's certificate (if configured) • Sender "publishes" his/her certificate by sending signed e-mail to certain e-mail address

  7. Privacy • Adding his/her certificate has to be intention of user • User himself/herself publishes by sending e-mail to a certain address • Signature has to be validated, maybe From: header in the signed body • Privacy requirements have to be met by organizational directory

  8. Access Control • Possibly data is reviewed by local directory administrator before being added • Signature has to be validated against trusted root certificate • Access control within organizational directory is subject of directory's configuration

  9. Directory Access • Directly write to LDAP directory • Add new entries if necessary • Modify existing entries (e.g. search by e-mail address) • Write data for review and bulk upload (LDIF, DSML) • Write replication log • How's data removed?

  10. What it is, what it is not It is a • practical solution for a common problem • a flexible tool It's not a • complete replacement for a global directory infrastructure • mail2ldap gateway • coffee machine

  11. Discussion • User acceptance? • Required features? • Security aspects? • Privacy aspects?

More Related