People’s Choice… When not just any CA will do

Slides:

Advertisements

Similar presentations

Common Identifiers Providing Globally Unique Identifiers for UUID and Application IDs of keys and other objects.

Advertisements

IONA Technologies Position Paper Constraints and Capabilities for Web Services

Network Localized Mobility Management using DHCP

Overview of draft-ietf-sidr-roa-format-01.txt Matt Lepinski BBN Technologies.

Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.

KMIP Vendor Extension Management KMIP supports ‘extensions’ but provides no mechanism for coordination of values between clients and servers or between.

APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.

A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.

RTCWEB Signaling Matthew Kaufman. Scope Web Server Browser.

Assuring e-Trust always 1 Status of the Validation and Authentication service for TACAR and Grids.

Case Study ProsperaSoft’s global sourcing model gives the maximum benefit to customers in terms of cost savings, improved quality, access to highly talented.

KMIP Profiles version 1.3 A Method to Define Operations Access Control and Interaction Between a Client and Server Presented by: Kiran Kumar Thota & Bob.

July 16, Diameter EAP Application (draft-ietf-aaa-eap-02.txt) on behalf of...

KISTI Grid CA Status Report Korea Institute of Science and Technology Information Sangwan Kim Jae-Hyuck Kwan

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.

IST E-infrastructure shared between Europe and Latin America ULAGrid Certification Authority Vanessa Hamar Universidad de Los.

Clarifications to KMIP v1.1 for Asymmetric Crypto and Certificates J. Furlong 29 September 2010.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Five Managing Addresses.

EPICS Channel Access Version Four Motivating FactorsMotivating Factors Solicitations from the audienceSolicitations from the audience.

ICOM 4035 – Data Structures Dr. Manuel Rodríguez Martínez Electrical and Computer Engineering Department Lecture 10 – September 20, 2001.

KMIP Support for PGP Things to take out Things to put in.

30 April 1998IBM1 Directory Services Best Practices Ellen Stokes, Directory Architect IBM Austin

Slide title In CAPITALS 50 pt Slide subtitle 32 pt SEND Certificate Profile draft-krishnan-cgaext-send-cert-eku-01 Suresh Krishnan Ana Kukec Khaja Ahmed.

1 APNIC Trial of Certification of IP Addresses and ASes RIPE October 2005 Geoff Huston.

NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.

KMIP Compliance Redefining Server and Client requirements to claim compliance Presented by: Bob Lockhart.

©2009 HP Confidential1 Proposal to OASIS KMIP TC Stan Feather and Indra Fitzgerald Hewlett-Packard Co. 23 September, 2010 Encoding Options for Key Wrap.

©2009 HP Confidential1 Proposal to OASIS KMIP TC Stan Feather and Indra Fitzgerald Hewlett-Packard Co. 26 October, 2010 Encoding Options for Key Wrap of.

Insert Your Name Insert Your Title Insert Date Client Registration Examples Alan Frindell Denis Pochuev 4/27/2011.

Insert Your Name Insert Your Title Insert Date Client Registration Examples Alan Frindell Denis Pochuev 4/26/2011.

KMIP Compliance Redefining Server and Client requirements to claim compliance Presented by: Bob Lockhart.

Andrew Lahiff HEP SYSMAN June 2016 Hiding infrastructure problems from users: load balancers at the RAL Tier-1 1.

IRAN-GRID Certificate Authority 13 th EUgridPMA Meeting Copenhagen May 2008 Majid Arabgol Hessamdding Arfaei Shahin Rouhani

-Active Directory is the brain of the Microsoft windows Server Network. -It’s a database that keeps track of huge amount of stuffs and gives us a centralized.

Trusted? 05/4/2016 Charles Sheehe, CCSDS Security Working Group GRC POC All information covered is from public sources 1.

ASN.1: Cryptographic files

Trusted? 05/4/2016 Charles Sheehe, CCSDS Security Working Group GRC POC All information covered is from public sources.

Document update - what has happened since GGF11

Managing State Chapter 13.

Data Virtualization Demoette… ODBC Clients

STI Interworking with SIP-PBXs

Service Framework Proposal

SSL Certificates for Secure Websites

Cryptography and Network Security

draft-ietf-simple-message-sessions-00 Ben Campbell

Standardizing for Change

Voucher and Voucher Revocation Profiles for Bootstrapping Protocols draft-kwatsen-netconf-voucher-00 NETCONF WG IETF 97 (Seoul)

Distribution and components

KMIP Client Registration Ideas for Discussion

Cryptographic Usage Mask

APNIC Trial of Certification of IP Addresses and ASes

KMIP Server-to-server: use-cases and status

CS691 M2009 Semester Project PHILIP HUYNH

Learning to Program in Python

Access Control in KMIPv1.1/v2

KMIP Entity Object and Client Registration

Migration-Issues-xx Where it’s been and might be going

APNIC Trial of Certification of IP Addresses and ASes

Resource Certificate Profile

Server Side Wrap Operations

NMDA Q & A draft-dsdt-nmda-guidelines &

Multi-server Namespace in NFSv4.x Previous and Pending Updates

JINI ICS 243F- Distributed Systems Middleware, Spring 2001

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006

Versioning and Variant Authoring Requirements

Issuing delegate certs to Customer AF using Cross-Certification

Ensuring Name Uniqueness

Enterprise Use Cases and A-Level Attestation

Enterprise Use Cases and A-Level Attestation

Presentation transcript:

People’s Choice… When not just any CA will do Bruce A Rich OASIS KMIP F2F, Feb 2016

Why multiple CAs? Partitioning of intranet space into Dev, Test, Production areas Loose and flexible More tightly controlled Rigid controls, may even be further partitioned May somewhat mirror the internal org chart, reflecting partition of responsibilities and control

Can “Certify” a PKCS10 blob via KMIP, but… If a server has multiple CA personalities, how can the client discover/suggest/hint? And PKCS10 is not user-friendly, is there a way to request/tweak certificate capabilities through KMIP?

Client choice The Certify API allows Attributes to be passed on the call KMIP already has X509 Certificate Issuer attribute Since that is supposed to be unique(ish), use that as a mechanism to refer to the desired issuer Or could define a more client-friendly (X509 Certificate Issuer Name- >String) attribute

Discovering the choices No (protocol-defined) way to know what CAs the server might be able to contact/use on the client’s behalf Could add a Query extension for this, would return zero-n X509 Certificate Issuer (or X509 Certificate Issuer Name) attributes Having the server volunteer the information keeps the client from having to compose this stuff all by themselves…

PKCS#10 avoidance? Could define a couple of new attributes to specify whether the cert would be for a CA or not, the certificate usage type Already have a variant of AlternativeName that is X500 Distinguished Name Larger scope than just usage of X500 Certificate Issuer

Recommendation Augment Query with one more optional thing to ask the server Minimalist profile to show usage

Backup slides

Common certificate extensions “Key Usage” Allowable usages for the public key in the certificate CERT_SIGN CRL_SIGN DATA_ENCIPHERMENT DIGITAL_SIGNATURE GOVT_APPROVED KEY_AGREEMENT KEY_ENCIPHERMENT NON_REPUDIATION These are covered via the Cryptographic Usage Mask on the public key (except GOVT_APPROVED, see KMIP Spec 3.19) Omission is interpreted as all of the above OID = { 2, 5, 29, 0F }

Common certificate extensions… “Basic constraints” Tells whether the cert is for a CA or not (TRUE or FALSE) OID = { 2, 5, 29, 19 } Impacts all interpretation of extended key usages

Alternative Name Can provide most of the information needed by Certify DNS Name IP Address X500 Distinguished Name Only need “Basic Constraints”, “CA=true” attribute “Extended Key Usage” bitset attribute