Design, Implementation, and Performance Analysis of PKI Certificate Repository using LDAP Component Matching

The X.509 certificate stored in an LDAP certificate repository requires secure and flexible means to make assertions against its component values such as the identity of its owner, issuer, and the intended usage of the public key contained therein. LDAP has traditionally lacked this ability because its string based encodings do not have a standardized way to carry structural information of complex syntaxes as in X.500. The traditional remedies to this LDAP's limitation are 1) to provide certificate specific matching for a limited set of components and their combinations and 2) to extract and store the certificate components in separate searchable attributes. Neither of these remedies are considered complete because the former lacks flexibility while the latter heightens complexity in managing the integrity of the certificate repository and doubles storage requirements. Due to the significant downside of these remedies, we investigate the possibility of an ASN.1 based Component Matching alternative. In this paper, we present 1) the design and implementation of the LDAP Component Matching for an OpenLDAP directory server to facilitate its use as the certificate repository in PKI, 2) various optimization mechanisms to increase the performance of the Component Matching and their implementation in OpenLDAP, and 3) the detailed performance analysis of the LDAP directory server as a certficate repository in comparison with the traditional certificate specific matching and the attribute extraction approaches. We show that Component Matching, if equipped with the optimization techniques proposed in this paper, outperforms the traditional approaches.

By: Sang Seok Lim; Jong Hyuk Choi; Kurt D. Zeilenga

Published in: , volume , (no ), pages in 2008


This Research Report is available. This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). I have read and understand this notice and am a member of the scientific community outside or inside of IBM seeking a single copy only.


Questions about this service can be mailed to .