Resource Certificate Profile

Slides:

Advertisements

Similar presentations

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.

Advertisements

RPKI Standards Activity Geoff Huston APNIC February 2010.

A Profile for Trust Anchor Material for the Resource Certificate PKI Geoff Huston SIDR WG IETF 74.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 70.

1 APNIC Resource Certification Service Project Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam George Michaelson.

Local TA Management A TA is a public key and associated data used as the starting point for certificate path validation It need not be a self-signed certificate.

Chapter 14 – Authentication Applications

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Fed/Ed PKI 2008, June Subject Unique Identifier or Equivalent William A. Weems & Mark B. Jones Academic Technology U. Texas Health Science Center at Houston.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

RPKI Validation - Revisited draft-huston-rpki-validation-01.txt Geoff Huston George Michaelson APNIC Slide 1/19.

RPKI Validation - Revisited draft-huston-rpki-validation-00.txt Geoff Huston George Michaelson APNIC.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Review of draft-ietf-sidr-arch-01.txt Steve Kent BBN Technologies.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

Some Lessons Learned from Designing the Resource PKI Geoff Huston Chief Scientist, APNIC May 2007.

APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report.

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

A PKI for IP Address Space and AS Numbers Stephen Kent.

Trust Anchor Management Problem Statement 69 th IETF Trust Anchor Management BOF Carl Wallace.

CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.

Symmetric Encryption Mom’sSecretApplePieRecipe Mom’sSecretApplePieRecipe The same key is used to encrypt and decrypt the data. DES is one example. Pie.

A Brief Overview of draft-ietf-sidr-cp-01.txt draft-ietf-sidr-cps-rirs-01.txt draft-ietf-sidr-cps-isp-00.txt Steve Kent BBN Technologies.

1 SeGW Certificate profile (Revised) 3GPP2 TSG-S WG4 /TSG-X WG5 (PDS) S X xx Source: QUALCOMM Incorporated Contact(s): Anand.

IST E-infrastructure shared between Europe and Latin America ULAGrid Certification Authority Vanessa Hamar Universidad de Los.

Certificate Requests to HIP Jani Pellikka 80 th IETF Mar 27 th – Apr 1 st 2011 Prague, Czech Republic.

Updates to the RPKI Certificate Policy I-D Steve Kent BBN Technologies.

Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

PKI Future Directions 29 November 2001 Russ Housley RSA Laboratories CS – Class of 1981.

Manifests (and Destiny?) Stephen Kent BBN Technologies.

Draft-huston-sidr-rfc6490-bis Geoff Huston Slide 1/6.

Slide title In CAPITALS 50 pt Slide subtitle 32 pt SEND Certificate Profile draft-krishnan-cgaext-send-cert-eku-01 Suresh Krishnan Ana Kukec Khaja Ahmed.

1 APNIC Trial of Certification of IP Addresses and ASes RIPE October 2005 Geoff Huston.

Overview of draft-ietf-sidr-roa-00.txt Steve Kent BBN Technologies.

Comments on draft-ietf-pkix-rfc3280bis-01.txt IETF PKIX Meeting Paris - August 2005 Denis Pinkas

1 Certification Issue : how do we confidently know the public key of a given user? Authentication : a process for confirming or refuting a claim of identity.

Resource Certificate Provisioning Protocol Geoff Huston IETF 70 December 2007.

Discovery of CRL Signer Certificate Stefan Santesson Microsoft.

Armenian e-Science Foundation Certification Authority Ara A. Grigoryan 1,2, Artem Harutyunyan 1,2,3, Arsen Hayrapetyan 1,2,4 1 Armenian e-Science Foundation;

Key Rollover for the RPKI Steve Kent (Channeling Geoff Huston )

RPKI Gray Area: Inheritance? IETF 83, SIDR WG Contributors: Andrew Chi (BBN), Rob Austein (DRL), Tim Bruijnzeels and Miklos Juhasz (RIPE NCC)

November 2006 Geoff Huston APNIC

Trust Anchor Management Problem Statement

Cryptography and Network Security

Authentication Applications

RPKI Trust Anchor Geoff Huston APNIC.

کاربرد گواهی الکترونیکی در سیستمهای کاربردی (امضای دیجیتال)

APNIC Trial of Certification of IP Addresses and ASes

Security in ebXML Messaging

زير ساخت كليد عمومي و گواهي هويت

Public-Key Certificates

APNIC Trial of Certification of IP Addresses and ASes

Digital Certificates and X.509

Progress Report on Resource Certification

October 2006 Geoff Huston APNIC

ROA Content Proposal November 2006 Geoff Huston.

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006

Issuing delegate certs to Customer AF using Cross-Certification

The devil is in the details

Presentation transcript:

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67

Resource Certificate Profile Background: This certificate is intended to express a “right-of-use relationship between the subject and an IP number resource set, as certified by the certificate’s issuer The certificate structure is intended to follow the allocation path – each party certifies their own allocation actions, so that the Issuer’s attestation regarding “right-of-use” mirrors the Issuer’s allocation actions of the number resource to a Subject The base profile is RFC3280 PKI Certificate Profile and RFC3779 IP Address extensions The proposed profile for Resource Certificates is in draft-ietf-sidr-res-certs This draft has been produced by an APNIC editing group, with input from a design team and this WG

draft-ietf-sidr-res-certs General constraints: RFC3779 extensions are a CRITICAL extension and MUST be present, using a sorted canonical representation An Issuer cannot certify more resources than the Issuer has in existing valid resource certificates An Issuer cannot certify the same resource to 2 or more distinct Subjects

draft-ietf-sidr-res-certs Certificate Fields: Version = 3 Serial Number = positive integer Signature Algorithm = SHA256 with RSA Subject Public Key Info = Minimum bit size of 1024 bits. Intended root certificates should use key size = 2048 bits Basic Constraints = CA ON for allocation certificates, CA = OFF for signing certificates Subject Key Identifier = 160 bit SHA-1 hash of the subject’s public key Authority Key Identifier = 160 bit SHA-1 hash of the issuer’s public key CRLDP =single CRL, with at least an RSYNC:: object URL AIA = publication point of Issuer’s immediate superior certificate (in the form of a PURL), with at least an RSYNC:: object URI SIA = if a CA, publication point of all issued certificates, or if an EE cert, the URL of the object signed with this EE Cert, with at least an RSYNC:: directory URI

Draft-ietf-sidr-res-certs Certificate Revocation List Fields Scope = all certificates issued by this CA Version = 2 Authority Key Identifier = 160 bit SHA-1 hash of the issuer’s public key CRL Number = monotonically increasing integer

Current Activity The AIA points to the Issuer’s immediate certificate Define this as an object reference persistent URL (i.e persistent across re-issuance, but not against issuer re-key)

Certificate Pointers CA1 AIA (PURL Object) CA2 SIA (Directory Object) Issued Certificate AIA (PURL Object) CA2 SIA (Directory Object) Issued Certificates Issuer CA2’s Certificate Store

Refinements to the Profile The AIA points to the Issuer’s immediate certificate Define this as an object reference persistent URL (i.e persistent across re-issuance, but not against issuer re-key) End Entity (no-CA) Certificates are used as one-off signing certificates EE cert can be used for a single signing Private key is destroyed after a single use EE Cert SIA is a pointer to the object that has been signed with the corresponding private key Signed object validity and resource attributes are controlled by the associated EE certificate(s)

End Entity Certificates 1. Generate Key Pair 2. Generate EE Cert of public key 3. Attach EE Cert to Document 4. Sign with Private Key 6. Revoke Signature by revoking EE Cert 5. Destroy Private Key

Refinements to the Profile The AIA points to the Issuer’s immediate certificate Define this as an object reference persistent URL (i.e persistent across re-issuance, but not against issuer re-key) End Entity (no-CA) Certificates are used as one-off signing certificates EE cert can be used for a single signing Private key is destroyed after a single use EE Cert SIA is a pointer to the object that has been signed with the corresponding private key Signed object validity and resource attributes are controlled by the associated EE certificate(s) Add the “Security Considerations” section text!

Review Comments Examples of Use of Resource Certificates? Example case of a subordinate certificate have a longer validity period than the superior certificate? Is the key size “SHOULD” a minimum or an absolute size? For Signature Algorithm should SHA-384 and SHA-512 be allowed options? Or should this be documented in a CP? Why specify RSYNC access as a “MUST” URI form? What is the normative language here?

Next Steps Generate an -03 version post IETF 67 Request WG chair for Last Call on this document