Directory service specification
In many areas within public administration, public key infrastructures (PKIs) are already being operated or are in the process of being set up. These individual infrastructures are to be consolidated into the public administration PKI for which the BSI operates the root Certificate Authority. The respective certificate authorities (CAs) issue and publish certificates, withdrawing these as necessary -- in the case of the misuse of a key, for example -- with revocation lists.
These important items of information for the end user are provided by a directory service. The local directory service itself is typically quick to implement within the domain of a PKI. Subscribers also need to be able to communicate among one another, however, such as when a federal authority wishes to exchange confidential messages with a state authority. As soon as the boundaries of one PKI domain are crossed, i.e. in order to verify certificates or perform a key search, the subscriber then also needs to access the information from the other domain. Generally, however, opening up local directory services for individual domains to third-party access is restricted by firewalls, or by blocking protocols or ports, for security and performance reasons.
To establish a 'connection' between the local directories for the respective domains, the necessary and approved PKI information can be exchanged by means of a 'centralised exchange service'. A centralised directory service can also make those items of PKI information publicly accessible whose publication is permitted.
The 'directory service specification' describes the technical, organisational and legal measures necessary in order to ensure the exchange of PKI information between the local directory services and the publicly-facing provisioning point.
Directory service specification (PDF)
Directory service specification attachments (PDF)