Light Weight Directory Access Protocol (LDAP) has become very popular due to its efficient and fast data access. A large number of applications/services are currently being developed which use an LDAP directory as their centralized data repository.
In the LDAP directory, data is stored as entries including key/value pairs. A key/value pair may consist of an attribute name and an attribute value. For example, an entry representing a person may include the textual string “telephoneNumber” as the attribute name and the numeric string “+1 800 123 4567” as the attribute value.
An LDAP directory can be queried to provide an attribute value of an LDAP entry. The attribute value is sometimes used to prove certain status of the entry. For example, the attributes of an LDAP entry for a person may include the person's social security number, driver license number, employee status, contact information, etc. Upon providing the values of these attributes, the person may be granted certain privileges, such as driving a rental car, access to an employer-sponsored facility, etc.
Conventional LDAP directories do not prove to a recipient that the attribute values sent to the recipient are authentic. The recipient is not provided with a means of verifying the authenticity of the received attribute values. Rather, the authenticity of the attribute values is implied from the fact that the values are received from a particular LDAP directory server. Relying on the data source, rather than the authenticity of the data itself, may sometimes be undesirable. For example, conventional LDAP techniques may be more susceptible to man-in-the-middle attacks and less adaptable to a network environment where proxy servers are used. Thus, there is a need to develop a secure and efficient technique for allowing a recipient to verify the authenticity of the attribute values returned from an LDAP directory.