openOSI project

 

LDAP X500

X.509 Certificates

x500 ISO ITU standards

PKI Discussion

GRID security framework

Identification and Autnetication openosiJMS messaging

Back home

X509 is a certificate framework of asymmetric keys, cryptographic application, designed on the top of the OSI stack. It's widely accepted for authentication, signing and encryption.

There is no real competing technology. Certificates are used in many protocols and security applications, including some Kerberos implementations like open source KX 509.

The X509 technology is based on a pair of public and private keys, the public key, being signed with a private referral key. All the "children" of that signing authority participate in a common PKI (Public key infrastructure). Integration with X500 / LDAP naming scheme is defined by IETF in RFC 2253.  

X509 uses the X500 naming space. Therefore LDAP is the most suitable repository, although others could be used (databases ...).

The main constraint is the availability of a network of preexisting trust relationships, especially for the root authority (or first certification authority with the first self signed public certificate). Many commercial companies sell signed certificates (Verisign, and many others) allowing to put in operation its own PKI with subordinate authorities. The certification process uses certification classes based on the level of assurance of certificate request authentication. 

A difficulty arises with the two competing LDAP naming scheme: original X500 and added DC style (see RFC 2247). The idea here, is integration with Internet DNS; leveraging the DNS name registration scheme with globally unique X500/LDAP DNs. Nevertheless most PKI software could be configured properly (see openCA). An other difficulty is the real world mapping of "many certificates to one person/entity". Note that Microsoft LDAP Active directory can only use DC style, and native X509 mapping is an option (DS mapping).

Many professional PKI systems are available with X509 standard like Microsoft Certificate server, and many others. The open source world allows a tight integration using PKI like openCA, interworking with X500/LDAP. A tight integration of X400 messages attributes and X.509 certificates could leverage development of related security applications.

Many JAVA classes allow X509 manipulation, like javax.net.ssl and javax.security.cert.X509Certificate (java.lang.Object, javax.security.cert.Certificate), see also PureTLS library from Globus GRID alliance. The integration with X400 osiJMS provider and X500 / LDAP / JNDI will allow applications with scalable  security.

   

X509 is more and more a foundation for strategic Information technologies like identity management (Liberty identity Web services framework - ID-WSF) and GRID (GSI -  Grid Security Infrastructure).

    X509 is also a major piece (authentication) of IPSEC, a standard for securing IP protocol. Open source tools inter-works with commercial products (more...)  

Sponsors