Resource Certificate Provisioning Protocol Geoff Huston IETF 70 December 2007.

Slides:

Advertisements

Similar presentations

STUN Open Issues Jonathan Rosenberg dynamicsoft. Changes since -00 Answered UNSAF considerations –Still awaiting response from Leslie on whether they.

Advertisements

Proxy Certificate Profile Douglas E. Engert Argonne National Laboratory 12/14/2001 COPYRIGHT STATUS: Documents authored by Argonne National.

RPKI Standards Activity Geoff Huston APNIC February 2010.

A Profile for Trust Anchor Material for the Resource Certificate PKI Geoff Huston SIDR WG IETF 74.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 70.

The Role of a Registry Certificate Authority Some Steps towards Improving the Resiliency of the Internet Routing System: The Role of a Registry Certificate.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC Open Policy Meeting SIG: Whois Database October 2000 APNIC Certificate Authority.

Practical Digital Signature Issues. Paving the way and new opportunities. Juan Carlos Cruellas – DSS-X co-chair Stefan Drees - DSS-X.

Dynamic Allocation of Shared IPv4 Addresses draft-csf-dhc-dynamic-shared-v4allocation-00 Q. Sun, Y. Cui, I. Farrer, Y. Lee, Q. Sun, M. Boucadair IETF 89,

RPKI and Routing Security ICANN 44 June Today’s Routing Environment is Insecure Routing is built on mutual trust models Routing auditing requires.

Key Wrapping in KMIP Mark Joseph, P6R Inc 2/27/2015.

An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.

Exchange Network Key Management Services A Security Component February 28, 2005 The Exchange Network Node Mentoring Workshop.

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

Summary Report on Resource Certification February 2007 Geoff Huston Chief Scientist APNIC.

APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report.

Progress Report on resource certification February 2007 Geoff Huston Chief Scientist APNIC.

Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.

Implementing Application Protocols. Overview An application protocol facilitates communication between applications. For example, an client uses.

Long-term Archive Service Requirements draft-ietf-ltans-reqs-00.txt.

Progress Report on APNIC Trial of Certification of IP Addresses and ASes APNIC 22 September 2006 Geoff Huston.

The Resource Public Key Infrastructure Geoff Huston APNIC.

Diameter End-to-End Security: Keyed Message Digests, Digital Signatures, and Encryption draft-korhonen-dime-e2e-security-00 Jouni Korhonen, Hannes Tschofenig.

Status Update for Algorithm Transition for the RPKI (draft-ietf-sidr-algorithm-agility) Steve Kent Roque Gagliano Sean Turner.

Assuring e-Trust always 1 Status of the Validation and Authentication service for TACAR and Grids.

16.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 16 Security at the Application Layer: PGP and.

Digital Signatures and e-Identity. Getting the best out of DSS / DSS-X services. Andreas Kuehne – DSS-X member.

An XMPP (Extensible Message and Presence Protocol) based implementation for NHIN Direct 1.

Registration Processing for the Wireless Internet Ian Gordon Director, Market Development Entrust Technologies.

Key Management with the Voltage Data Protection Server Luther Martin IEEE P May 7, 2007.

Dynamic Symmetric Key Provisioning Protocol (DSKPP) Mingliang Pei Salah Machani IETF68 KeyProv WG Prague.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

SPPF Batch DOS Considerations Jeremy Barkan Xconnect 28 March

XMPP Concrete Implementation Updates: 1. Why XMPP 2 »XMPP protocol provides capabilities that allows realization of the NHIN Direct. Simple – Built on.

CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.

Module 9: Fundamentals of Securing Network Communication.

Internet Security. 2 PGP is a security technology which allows us to send that is authenticated and/or encrypted. Authentication confirms the identity.

Michael Myers VeriSign, Inc.

An XML based Security Assertion Markup Language

Page 1 IETF TRADE WG 10 August 2001 London

Integrating security services with the automatic processing of content TERENA 2001 Antalya, May 2001 Francesco Gennai, Marina Buzzi Istituto.

GEOPRIV Experiment at IETF 71 n Goal: Demonstrate GEOPRIV protocols using the IETF network to provide location l Data formats: PIDF-LO and Civic Address.

A Brief Overview of draft-ietf-sidr-cp-01.txt draft-ietf-sidr-cps-rirs-01.txt draft-ietf-sidr-cps-isp-00.txt Steve Kent BBN Technologies.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.

SHIM6 Protocol Drafts Overview Geoff Huston, Marcelo Bagnulo, Erik Nordmark.

Path Construction “It’s Easy!” Mark Davis. Current WP Scope u Applications that make use of public key certificates have to validate certificate paths.

March 2006IETF 65 - Dallas1 The Cryptographic Token Key Initialization Protocol (CT-KIP) Dave Mitton, RSA Security for Magnus Nyström IETF SAAG.

TNC Proposals for NEA Protocols Presentation by Steve Hanna to NEA WG meeting at IETF 71 March 11, 2008.

PKI Future Directions 29 November 2001 Russ Housley RSA Laboratories CS – Class of 1981.

Draft-huston-sidr-rfc6490-bis Geoff Huston Slide 1/6.

1 APNIC Trial of Certification of IP Addresses and ASes RIPE October 2005 Geoff Huston.

Status Report SIDR and Origination Validation Geoff Huston SIDR WG, IETF 71 March 2008.

Wed 24 Mar 2010SIDR IETF 77 Anaheim, CA1 SIDR Working Group IETF 77 Anaheim, CA Wednesday, Mar 24, 2010.

CCSDS Security/DTN Status 11/6/2015 DENNIS IANNICCA CCSDS GRC CHARLES SHEEHE CCSDS GRC POC 1.

Subject Identification Method August, 2004 Tim Polk, NIST.

SCVP-28 Tim Polk November 8, Current Status Draft -27 was submitted in June ‘06 –AD requested a revised ID 8/11 –No related discussion on list –Editors.

Key Rollover for the RPKI Steve Kent (Channeling Geoff Huston )

APNIC Trial of Certification of IP Addresses and ASes

Resource Certificate Profile

Progress Report on Resource Certification

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006

Presentation transcript:

Resource Certificate Provisioning Protocol Geoff Huston IETF 70 December 2007

Problem Statement How to automate the process of certificate issuance such that the issued certificate accurately tracks the current resource allocation status Avoid situations where the issued certificate “overclaims” resources The issued certificate “underclaims” resources

Scenario Certificate Issuer Internet Registry Certificate Subject Resource Holder Allocates / Assigns Addresses Issues Resource Certificates

Scenario Certificate Issuer Internet Registry Certificate Subject Resource Holder Allocates / Assigns Addresses Issues Resource Certificates Resource Certificate Provisioning Protocol

Protocol Characteristics Simple Client / Server protocol using a request / response interaction over a secure reliable channel Client Server HTTPS POST HTTPS RESPONSE

Protocol Payload Cryptographic Message Syntax (CMS) SignedData object type Include Signing Time in the CMS wrapper Include CMS signing cert in the CMS wrapper XML Data Objects Carried as CMS payload

XML Message Structure <message xmlns=" version="1" sender="sender name" recipient = "recipient name" type="message type"> [payload]

Messages Query Issue Revoke

Query Message Request: type=“list” Response: List of Resource “classes” List of allocated / assigned Number Resources within this class Issued certificate(s) for this class

Issue Message Request: type=“issue” Payload: Resource “class” name PKCS#10 Certificate Request Response: Payload: Issued certificate

Revoke Message Request: type=“revoke” Payload: Resource “class” name Subject’s public key Response: Payload: confirmation of revocation

Error Responses Error status returned when the request could not be performed

Protocol Specification Current (unsubmitted) draft is: provisioning-00.html

Next Steps Adoption of the specification of this provisioning protocol as a SIDR WG Document?