Browse Prior Art Database

An LDAP Control and Schema for Holding Operation Signatures (RFC2649)

IP.com Disclosure Number: IPCOM000003237D
Original Publication Date: 1999-Aug-01
Included in the Prior Art Database: 2000-Sep-13
Document File: 12 page(s) / 19K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

B. Greenblatt: AUTHOR [+2]

Abstract

In many environments clients require the ability to validiate the source and integrity of information provided by the directory. This document describes an LDAP message control which allows for the retrieval of digitally signed information. This document defines an LDAP v3 based mechanism for signing directory operations in order to create a secure journal of changes that have been made to each directory entry. Both client and server based signatures are supported. An object class for subsequent retrieval are "journal entries" is also defined. This document specifies LDAP v3 controls that enable this functionality. It also defines an LDAP v3 schema that allows for subsequent browsing of the journal information.

This text was extracted from a ASCII document.
This is the abbreviated version, containing approximately 14% of the total text.

Network Working Group B. Greenblatt

Request for Comments: 2649 P. Richard

Category: Experimental August 1999

An LDAP Control and Schema for Holding Operation Signatures

Status of this Memo

This memo defines an Experimental Protocol for the Internet

community. It does not specify an Internet standard of any kind.

Discussion and suggestions for improvement are requested.

Distribution of this memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (1999). All Rights Reserved.

Abstract

In many environments clients require the ability to validiate the

source and integrity of information provided by the directory. This

document describes an LDAP message control which allows for the

retrieval of digitally signed information. This document defines an

LDAP v3 based mechanism for signing directory operations in order to

create a secure journal of changes that have been made to each

directory entry. Both client and server based signatures are

supported. An object class for subsequent retrieval are "journal

entries" is also defined. This document specifies LDAP v3 controls

that enable this functionality. It also defines an LDAP v3 schema

that allows for subsequent browsing of the journal information.

Table of Contents

1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2

1.1 Audit Trail Mechanism . . . . . . . . . . . . . . . . . . . 2

1.2. Handling the Delete Operation . . . . . . . . . . . . . . . 5

2. Signed Results Mechanism . . . . . . . . . . . . . . . . . . 6

3. Security Considerations and Other Notes . . . . . . . . . . 7

4. References . . . . . . . . . . . . . . . . . . . . . . . . . 8

5. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 9

6. Full Copyright Statement . . . . . . . . . . . . . . . . . . 10

1. Introduction

In many environments clients require the ability to validiate the

source and integrity of information provided by the directory. This

document describes an LDAP message control which allows for the

retrieval of digitally signed information. The perspective of this

document is that the origin of the information that is stored in LDAP

v3 accessible directories is the LDAP v3 client that creates the

information. The source and integrity of the information is

guaranteed by allowing for the digital signing of the operations that

make changes to entries in the directory. The source and integrity

of an individual LDAP connection can be guaranteed by making use of