The LDAP address book (LDAP = Lightweight Directory Access Protocol) is a type of database or directory that an email application queries via a predefined path (server name, port, branch/search base) in order to find out the user certificate of an email address, for example. If such an LDAP address book is integrated into your own email application, encrypted emails can be sent directly, for example, provided the recipients have published their user certificate in the LDAP address book. Not every e-mail has to be sent encrypted, but you can select this option if you wish and after successful setup. Read more about the encryption of emails in part 2 of the blog series.
The LDAP Address Book at RWTH Aachen University
RWTH Aachen University has its own LDAP server, which can be integrated as an LDAP address book to find user certificates. You can find the server
- Server address: ldappv.rwth-aachen.de
- Search base: o=RWTH Aachen University,ou=GEANT/TCS,dc=rwth-aachen,dc=de
In this GÉANT branch you can search for the e-mail or surname of the recipient. A maximum of three results will be returned, which means that a precise search (for example, the entire e-mail address) is advantageous.
The GÉANT branch can be integrated into common e-mail applications.
GÉANT/TCS vs. DFN-PKI Global
At this point, the PKI migration from DFN to GÉANT/TCS in August 2023 poses a challenge. All valid user certificates of the new GÉANT/TCS PKI (available via the RA portal since August 2023) will always be automatically included in ldappv.rwth-aachen.de. All still valid and published user certificates of the old DFN-PKI Global (issued until the end of August 2023 and still valid for up to three years) can be found in the LDAP server of the DFN-PKI:
- Server address: ldap.pca.dfn.de
- Search base: ou=DFN-PKI,o=DFN-Verein,c=en
This means that if you want to find all users at the RWTH with a published user certificate, you must include both of the above LDAP address books. The fastest search result is obtained by searching for an exact e-mail address.
The advantage of DFN-LDAP is that you can also find certificates from users of other institutions within DFN-Verein and outside RWTH. The DFN-LDAP is also accessible worldwide. The disadvantage, however, was that when applying for your own certificate in the DFN-PKI Global, you could choose whether it would be included in the DFN-LDAP. As a result, it is possible that recipients who have a certificate are still not found in the DFN-LDAP. In such a case, digitally signed e-mails would have to be exchanged first (handshake).
What Should I Bear in Mind When Exchanging Encrypted Emails?
As with digital signing, your own .p12 file (and therefore your own private key) must never be passed on to third parties. If you change computers, remember to reintegrate your .p12 files on the new computer and in the email application.
You must proceed in the same way if you use several computers and want to read encrypted emails on them. You also need to consider whether you want to install your own cryptographic keys on devices such as smartphones, which are easier to steal or lose. It is recommended that you open sensitive emails on your work computer.
What About Digitally Encrypting Documents?
It is also possible to digitally encrypt documents using Microsoft Word or Adobe Acrobat, for example. Please note that there are no instructions for this on IT Center Help yet due to the low demand.
How Do I Use My User Certificate?
We have now reached the end of the “Email security” blog series. In the following, we will briefly summarize the possible uses of your user certificates:
- For sending digitally signed emails
- For digitally signing documents
- For sending digitally encrypted emails
- For receiving digitally encrypted emails
- For authentication on web applications (not at RWTH)
Applications for user certificates at RWTH have been made via the RA portal since mid-August 2023. Instructions can be found in our documentation portal IT Center Help.
Responsible for the content of this article are Mirko Koch, Bernd Kohler, Jelena Nikolić, and Katerina Papachristou.
Leave a Reply