draft-friel-acme-integrations

Slides:

Advertisements

Similar presentations

Wireless LAN  Setup & Optimizing Wireless Client in Linux  Hacking and Cracking Wireless LAN  Setup Host Based AP ( hostap ) in Linux & freeBSD  Securing.

Advertisements

Secure Network Bootstrapping Infrastructure May 15, 2014.

Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.

Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.

Bootstrapping Key Infrastructures Max Pritikin IETF 91, 10 Nov 2014 Aloha!

Team - CA CSCI 5234 Web Security.  Collect and document information of ecommerce security mechanisms.  Using: wiki engine for collaboration.

Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00.

Draft-ietf-abfab-aaa-saml Josh Howlett, JANET IETF 82.

Eugene Chang EMU WG, IETF 70

Certificate Enrolment STEs Group Name: SEC#17.2 Source: Phil Hawkes, Qualcomm Inc, Meeting Date:

IT:Network:Apps.  RRAS does nice job of routing ◦ NAT is nice ◦ BASIC firewall ok but somewhat weak  Communication on network (WS to SRV) is in clear.

Attribute Certificate By Ganesh Godavari. Talk About An Internet Attribute Certificate for Authorization -- RFC 3281.

Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.

Network access security methods Unit objective Explain the methods of ensuring network access security Explain methods of user authentication.

July 16, Diameter EAP Application (draft-ietf-aaa-eap-02.txt) on behalf of...

1 82 nd IETF meeting NETCONF over WebSocket ( ) Tomoyuki Iijima, (Hitachi) Hiroyasu Kimura,

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

EAP Extensions for EAP Re- authentication Protocol (ERP) draft-wu-hokey-rfc5296bis-01 Yang Shi Qin Wu Zhen Cao

Slide title In CAPITALS 50 pt Slide subtitle 32 pt RTSP 2.0 TLS handling Magnus Westerlund draft-ietf-mmusic-rfc2326bis-12.

Certificate Enrolment STEs Group Name: SEC#17.3 Source: Phil Hawkes, Qualcomm Inc, Meeting Date:

Certificate Enrolment STEs Group Name: SEC#18 Source: Phil Hawkes, Qualcomm Inc, Meeting Date:

Automated Certificate Management ACME + Let’s Encrypt Richard

ICOS BOF EAP Applicability Bernard Aboba IETF 62, Minneapolis, MN.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

Requirements for Peer protocol draft-jiang-p2psip-peer-protocol-requirement-00.txt Jiang XingFeng (Johnson) P2PSIP WG, IETF #68.

Session Traversal Utilities for NAT (STUN) IETF-92 Dallas, March 26, 2015 draft-ietf-tram-stunbis Marc Petit-Huguenin, Gonzalo Salgueiro.

1 Extensible Authentication Protocol (EAP) Working Group IETF-57.

IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.

Port Based Network Access Control

Thoughts on Bootstrapping Mobility Securely Chairs, with help from James Kempf, Jari Arkko MIP6 WG/BOF 57 th IETF Vienna Wed. July 16, 2003.

Bootstrapping Key Infrastructures

EAP Applicability IETF-86 Joe Salowey. Open Issues Open Issues with Retransmission and re- authentication Remove text about lack of differentiation in.

Richard EAP-WAI Authentication Protocol Stockholm, IETF 75th draft-richard-emu-wai-00.

Analysis of secured VoIP services

SFS-HTTP: Securing the Web with Self-Certifying URLs

Virtual Private Networks

Informing AAA about what lower layer protocol is carrying EAP

Third Party Transfers & Attribute URI ideas

Trust Anchor Management Problem Statement

Katrin Hoeper Channel Bindings Katrin Hoeper

draft-ietf-netconf-reverse-ssh

for IP Mobility Protocols

Author: Darshak Thakore

ERP extension for EAP Early-authentication Protocol (EEP)

Discussions on FILS Authentication

IETF-70 EAP Method Update (EMU)

BRSKI overview and issues

The Tunneled Extensible Authentication Method (TEAM)

Server-to-Client Remote Access and DirectAccess

SECURING WIRELESS LANS WITH CERTIFICATE SERVICES

YANG model for ANI IETF101 draft-eckert-anima-enosuchd-raft-yet-99

Wednesday, 9:30-12:00 Morning session I, Van Horne

Security Vulnerabilities in RPC (csci5931)

By co-authors Sheng Jiang & Toerless Eckert

Jiang XingFeng (Johnson) P2PSIP WG, IETF #68

Recap At IETF 97 we presented the Voucher document for the first time as an ANIMA draft Bootstrapping Design team has met weekly since, about 50% discussion.

Transport Layer Security (TLS)

3RD-PARTY DEVICE ATTESTATION FOR ACME

IEEE MEDIA INDEPENDENT HANDOVER DCN:

Bootstrapping Key Infrastructure over EAP draft-lear-eap-teap-brski

Application Layer TLS draft-friel-tls-atls-00

ACME STAR & Delegation IETF 100 Hackathon.

OpenID Enhanced Authentication Profile (EAP) Working Group

IoT Onboarding for Date: Authors: November 2018

Tuesday (July 23rd, 2019) Two sessions ( minutes)

Qin Wu Zhen Cao Yang Shi Baohong He

An EAP Authentication Method Based on Identity-Based Authenticated Key Exchange draft-cakulev-emu-eap-ibake-00 Violeta Cakulev

National Trust Platform

Update on BRSKI-AE – Support for asynchronous enrollment

OpenID Enhanced Authentication Profile (EAP) Working Group

Presentation transcript:

draft-friel-acme-integrations Friel, Barnes cisco

Use Cases ACME issuance of sub-domain certificates Multiple client / device certificate integrations EST RFC 7030 - Enrollment over Secure Transport BRSKI draft-ietf-anima-bootstrapping-keyinfra - Bootstrapping Remote Key Infrastrucutres TEAP RFC 7170 – Tunnel Extensible Authentication Protocol TEAP-BRSKI draft-lear-eap-teap-brski - Bootstrapping Key Infrastructure over EAP

Related Drafts draft-yusef-acme-3rd-party-device-attestation draft-moriarty-acme-client Preliminary discussions about alignment have taken place Side meeting scheduled Coller meeting room 9am Wednesday morning

Sub-domain certificates ACME mandates that The identifier in CSR must match identifier in newOrder request The identifier in the authorization object must be used when fulfilling challenges via HTTP or DNS ACME does not mandate that The identifier in a newOrder request matches the identifier in authorization object The specification therefore allows an ACME server to issue certificates for a given identifier (e.g. a subdomain) without requiring a challenge to be explicitly fulfilled against that identifier An ACME server could issue a certificate for sub.domain.com where the ACME client has only fulfilled a challenge for domain.com An ACME server could issue certificates for a number of sub-domain certificates and only require a single challenge to be fulfilled against the parent domain

Sub-domains with pre-authorization

Client / device certificate integrations EST (which BRSKI leverages) defines the protocol that clients use to enrol with an EST Registration Authority (RA) using PKCS#10 / PKCS#7 payloads EST does not define the mechanism that the RA uses to talk to the CA TEAP (which TEAP-BRSKI leverages) defines the protocol that clients use to enrol with a TEAP server using PKCS#10 / PKCS#7 payloads TEAP does not define the mechanism that the TEAP server uses to talk to the CA The draft illustrates how ACME can be used to integrate an EST RA or a TEAP server with a CA No changes are required to EST, TEAP or ACME specifications The sub-domain proposal is a nice optimisation to facilitate issuance of large numbers of client / device certificates

EST -> ACME

Discussion Is the sub-domain use case of interest to ACME CAs? Is this worth formally documenting? Are the client / device use cases of interest? Note: this short presentation will be given ACME, ANIMA and EMU sessions Side meeting reminder: Coller, 9am Wednesday