Re: Request for Opinion - LDAP Proxy in a PKI environment

[Marc Branchaud <marcnarc@xxxxxxxxx>]

Ed Greshko wrote:
> 
> Hello,
> 
> A question has begun to crop up in various places about the suitability of
> using an LDAP proxy with caching in a PKI environment.  The particular
> environment in question uses CRLs stored in a single LDAP object.
> 
> My initial reaction to this is that it would be undesirable to deploy a
> proxy with caching.
> 
> I'm interested in what views others would have.....
> 
> Thanks,
> Ed

You are essentially correct, Ed.

The caching proxy basically becomes a trusted entity, because you're trusting
it to notice that the CRL has been updated in the CA's directory server. 
Because a user has no way of knowing whether or not a CRL has been issued
before the previous CRL's nextUpdate time, the user has to trust the proxy to
fetch new CRLs.

This makes the proxy a target for attacks, because if I can get your proxy to
serve stale-but-unexpired CRLs I can get you to accept a recently-revoked
certificate.

This applies to all kinds of caching proxies, not just LDAP ones.  OCSP
suffers the same problem when caching HTTP proxies are used.  In a PKI, you
have to trust your direct source of information, be it a proxy, a directory,
or a CA's own server.

The implications of this for using untrusted directories in a PKI is left as
an exercise for the reader.

		Marc

+------------------------------------------------------------------------+
 Marc Branchaud                                  \/
 Chief PKI Architect                             /\CERT INTERNATIONAL INC.
 marcnarc@xcert.com        PKI References page:              www.xcert.com
 604-640-6227          www.xcert.com/~marcnarc/PKI/
+------------------------------------------------------------------------+
  PGP key fingerprint:  60 11 4B 9D 4E E5 2F 47  BD C5 C2 BF 26 DF 5A E1