Design, Implementation, and Performance Analysis of PKI Certificate Repository using LDAP Component Matching

The X.509 certificate stored in an LDAP certificate repository requires secure and flexible means to make assertions against its component values such as the identity of its owner, issuer, and the intended usage of the public key contained therein. LDAP has traditionally lacked this ability because its string based encodings do not have a standardized way to carry structural information of complex syntaxes as in X.500. The traditional remedies to this LDAP's limitation are 1) to provide certificate specific matching for a limited set of components and their combinations and 2) to extract and store the certificate components in separate searchable attributes. Neither of these remedies are considered complete because the former lacks flexibility while the latter heightens complexity in managing the integrity of the certificate repository and doubles storage requirements. Due to the significant downside of these remedies, we investigate the possibility of an ASN.1 based Component Matching alternative. In this paper, we present 1) the design and implementation of the LDAP Component Matching for an OpenLDAP directory server to facilitate its use as the certificate repository in PKI, 2) various optimization mechanisms to increase the performance of the Component Matching and their implementation in OpenLDAP, and 3) the detailed performance analysis of the LDAP directory server as a certficate repository in comparison with the traditional certificate specific matching and the attribute extraction approaches. We show that Component Matching, if equipped with the optimization techniques proposed in this paper, outperforms the traditional approaches.