Deficiencies in LDAP when used to support a Public Key Infrastructure

The lightweight directory access protocol (LDAP) is the Internet standard way of accessing directory services that conform to the X.500 data model. It is very widely supported by all the leading software vendors, and is part of Windows 2000 Active Directory. LDAP comes in two versions: * LDAPv2 - the original lightweight variation of the X.500 Directory Access Protocol (DAP), and * LDAPv3 [10] - the heavyweight version. Whilst the DAP was designed from its inception to support public key infrastructures (PKIs), being part of the same X.500 family of standards as X.509, LDAP was not. LDAP has however become the predominant protocol in support of PKIs accessing directory services for certificates and certificate revocation lists (CRLs), but because of its lineage, it has some deficiencies. This paper describes the deficiencies in both the LDAPv2 and v3 protocols, along with the solutions that have been and are being standardised within the IETF to rectify them. The deficiencies are documented firstly for a centralised directory service, in which a single standalone LDAP server is used to support a single PKI, and secondly for a distributed directory service, in which there are many LDAP servers that need to co-operate in order to support a network of interconnected PKIs.