0

In context of Public Key Infrastructure ? By LDAP i mean publicly available public keys exposed by an LDAP server that you can query using the LDAP protocol ? CRL stands for certificate revocation list, in other words it contains certificates not to be trusted. Do these two protocols depend on the same database of public key certificates ? I have a CA here, that announced it would not continue updating the CRL, but their responses to LDAP queries seem up to date.

Dante
  • 10,722
  • 16
  • 51
  • 63

2 Answers2

4

  • LDAP is a small light-weight protocol specified by RFC4511. Nowadays the term LDAP is used to refer to the directory information tree (DIT) in addition to the protocol itself

  • A certificate revocation list (CRL) is a list of certificate serial numbers that have been revoked by an issuing authority or validation authority and therefore cannot be used reliably by clients

  • LDAP is often used as a data store for PKI information such as public keys, private keys, and certificates and in fact excels at this task

Community
  • 1
  • 1
Terry Gardner
  • 10,957
  • 2
  • 28
  • 38
0
  • HTTP is an alternate access method for CRL information. In the US Federal and CertiPath PKIs, HTTP has become the standard and LDAP is now uncommon.
  • CRL information can also be obtained in a 1:1 way through OCSP which uses a Q&A style method to inquire about revocation status for a specific digital certificate/public key. This is particularly useful when up to the minute revocation information is necessary or if CRL sizes are vast (e.g., US DoD's PKI). HTTP is the protocol for OCSP and is rarely done over HTTPS as the OCSP responses are already digitally signed.

Your specific question referenced the CA's intent to not publish further CRL updates. Hopefully this means they are ceasing CA operations altogether and will take the CA offline. The obvious concern is that should any of the end-entity keys this CA has issued become lost or compromised, there is no revocation information going forward. Additionally though, a CA (self-signed root) that is online always has the possibility of being compromised and must be able to post a CRL that revokes itself should that occur. Consider carefully how much trust you place in credentials issued from a trusted authority that is no longer authoritative.

Jeff Nigriny
  • 1
  • 1