CRL Processing Rules Santosh Chokhani November 2004.

Slides:



Advertisements
Similar presentations
Local TA Management A TA is a public key and associated data used as the starting point for certificate path validation It need not be a self-signed certificate.
Advertisements

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Cryptography and Network Security Chapter 14
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.
Extended Validation Models in PKI Alternatives and Implications Marc Branchaud John Linn
Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.
Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
RPKI Validation - Revisited draft-huston-rpki-validation-01.txt Geoff Huston George Michaelson APNIC Slide 1/19.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Public Key Management and X.509 Certificates
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
MPKI Interoperability I-D ChangeLog from -01 to -02 Jan 16, 2004 Masaki SHIMAOKA SECOM Trust.net.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
Use of AIA for Attribute Certificates
APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Interoperation Between a Conventional PKI and an ID-Based Infrastructure Geraint Price Royal Holloway University of London joint work with Chris Mitchell.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.
Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”
Certificate Path Building draft-ietf-pkix-certpathbuild-01.txt Peter Hesse Matt Cooper Yuriy Dzambasow Susan Joseph Richard Nicholas.
DNS-centric PKI Sean Turner Russ Housley Tim Polk.
14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
Trust Anchor Management Problem Statement 69 th IETF Trust Anchor Management BOF Carl Wallace.
Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.
Csci5233 Computer Security1 Bishop: Chapter 14 Representing Identity.
Java Security Pingping Ma Nov 2 nd, Overview Platform Security Cryptography Authentication and Access Control Public Key Infrastructure (PKI)
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.
Unit 1: Protection and Security for Grid Computing Part 2
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
Digital Signatures A Brief Overview by Tim Sigmon April, 2001.
CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.
A Brief Overview of draft-ietf-sidr-cp-01.txt draft-ietf-sidr-cps-rirs-01.txt draft-ietf-sidr-cps-isp-00.txt Steve Kent BBN Technologies.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian
ASYNCHRONOUS LARGE-SCALE CERTIFICATION BASED ON CERTIFICATE VERIFICATION TREES Josep Domingo-Ferrer, Marc Alba and Francesc Sebé Dept. of Computer Engineering.
1 SeGW Certificate profile (Revised) 3GPP2 TSG-S WG4 /TSG-X WG5 (PDS) S X xx Source: QUALCOMM Incorporated Contact(s): Anand.
Matej Bel University Cascaded signatures Ladislav Huraj Department of Computer Science Faculty of Natural Sciences Matthias Bel University Banska Bystrica.
Path Construction “It’s Easy!” Mark Davis. Current WP Scope u Applications that make use of public key certificates have to validate certificate paths.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.
PKI Future Directions 29 November 2001 Russ Housley RSA Laboratories CS – Class of 1981.
X.509 standard and CA’s operation Certificate path validation Dec. 18, C&IS lab. Vo Duc Liem.
Bridge Certification Architecture A Brief Overview by Tim Sigmon May, 2000.
Slide title In CAPITALS 50 pt Slide subtitle 32 pt SEND Certificate Profile draft-krishnan-cgaext-send-cert-eku-01 Suresh Krishnan Ana Kukec Khaja Ahmed.
X.509 Proxy Certificates for Dynamic Delegation Ian Foster, Jarek Gawor, Carl Kesselman, Sam Meder, Olle Mulmo, Laura Perlman, Frank Siebenlist, Steven.
1 APNIC Trial of Certification of IP Addresses and ASes RIPE October 2005 Geoff Huston.
Comments on draft-ietf-pkix-rfc3280bis-01.txt IETF PKIX Meeting Paris - August 2005 Denis Pinkas
LDAP for PKI Problems Cannot search for particular certificates or CRLs Cannot retrieve particular certificates or CRLs.
1 Public Key Infrastructure Dr. Rocky K. C. Chang 25 February, 2002.
1 Public Key Infrastructure Rocky K. C. Chang 6 March 2007.
Shibboleth 1.2 Technical Overview “So you thought 1.1 was complicated…” Scott Cantor The Ohio State University and Internet2 Scott Cantor.
Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.
Discovery of CRL Signer Certificate Stefan Santesson Microsoft.
Key Rollover for the RPKI Steve Kent (Channeling Geoff Huston )
Cryptography and Network Security
APNIC Trial of Certification of IP Addresses and ASes
APNIC Trial of Certification of IP Addresses and ASes
Resource Certificate Profile
Digital Certificates and X.509
ROA Content Proposal November 2006 Geoff Huston.
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006
Presentation transcript:

CRL Processing Rules Santosh Chokhani November 2004

2 Briefing Contents Historical Timeline Issues and Resolution Summary of Recommended Editorial Changes to RFC 3280 and RFC 2560, and X.509 Path Matching Algorithm Backup Slides

3 Historical Timeline DoD PKI motivates development of CRL Processing Rules ( ) Rules submitted to X.509 Editor ( ) X.509 accepted Input as Normative Annex (1999) RFC 3280 uses the Annex to define CRL Processing Rules (??) (2002) Issue of some CA products not asserting IDP for partial CRL comes to light (2002) Three discussion threads on PKIX on the issue of similarity of certificate “Certification Path” and CRL “Certification Path” ( )

4 Issues and Resolution What identifies a CA: name only or name + key? What does absence of IDP mean? How to ensure a CRL is from a CRL Issuer as intended by the certificate issuing CA? Should circularity be permitted during revocation status checking?

5 What identifies A CA Issue –For certificates and CRL processing logic, is a CA defined by name only or by name and a signing private key/signature verification public key Resolution –A CA is identified by name alone Basis –Numerous places in X.509 and RFC 3280 –Section 7 of X.509 Recommendation –Add a statement to RFC 3280 that a CA is identified by name

6 What Does Absence of IDP in a CRL Mean Issue –What does absence of IDP in a CRL mean for the scope of that CRL Resolution –Absence of DP in IDP means that the CRL is complete for the scope implied by the presence or absence of other fields in the IDP for the CRL Issuer –Corollary: Absence of IDP in a CRL means that CRL is complete for all certificates issued by the CA Basis –IDP extension description in RFC 3280 –IDP extension description in X.509 –CRL processing rules in RFC 3280 –CRL processing rules in X.509 (Annex B) Recommendations –No change

7 How to Ensure CRL is from the Correct CRL Issuer Issue –How to ensure a CRL is from a CRL Issuer as intended by the certificate issuing CA Resolution –If the CRL and certificate to validate are signed by the same key and the Issuer name in certificate = Issuer Name in CRL, done –Else use the algorithm defined next Basis –Need to ensure that the CRL obtained was issued by a CRL Issuer that the certificate issuer intended –Need to account for multiple CAs with the same name Recommendations –Add the text to 3280 –Text already recommended for X.509

8 Path Matching Algorithm: Motivation There can be more than one CA with the same name If the certificate and CRL are signed using different keys, how do you know if these are two different CAs or the same CA is using different key –Different keys can be used due to having different certificate and CRL signing keys or due to CA re-key Starting with a TA, the relying party can match the CA names in the certificate and CRL certification paths –Assumes that a CA will not certify two distinct CAs with the same name

9 Path Matching Algorithm: Assumption For indirect CRL, we have some choices to define the algorithm –State that specification does not address it –Make one of the following trust assumptions –Assume that Indirect CRL Issuer is issued a certificate by the certificate issuer –Assume that the indirect CRL issuer is one of the ancestors –Assume that the indirect CRL issuer is issued a certificate by one of the ancestors (selected – appears to be most flexible) –Assume that the indirect CRL issuer is one of the ancestors or issued a certificate by the trust anchor ((selected – appears to be most flexible)

10 Path Matching Algorithm: Initialization One Develop certificate certification path Develop a list of (certpath-subject 0 ) (certpath- issuer 1, certpath-subject 1 ) (certpath-issuer 2, certpath-subject 2 ) etc., where certpath- subject 0 is the trust anchor DN and item (certpath-issuer i, certpath-subject i ) is the issuer and subject DNs from the i th certificate Delete all entries i, where certpath-issuer i = certpath-subject i –Get rid of self-issued certificates Renumber the entries to 1 through N cert

11 Path Matching Algorithm: Initialization Two Develop CRL certification path Develop a list of (CRLpath-subject 0 ) (CRLpath- issuer 1, CRLpath-subject 1 ) (CRLpath-issuer 2, CRLpath-subject 2 ) etc., where CRLpath- subject 0 is the trust anchor DN and item (CRLpath-issuer i, CRLpath-subject i ) is the issuer and subject DNs from the i th certificate Delete all entries i, where CRLpath-issuer i = CRLpath-subject i –Get rid of self-issued certificates Renumber the entries to 1 through N CRL

12 Path Matching Algorithm: Initialization Three If certpath-issuer Ncert = CRLpath-subject NCRL verify that N cert = N CRL + 1 – For direct CRL, the CRL certification path is one less than certificate certification path If certpath-issuer Ncert ≠ CRLpath-subject NCRL, set N CRL = N CRL - 1 – For indirect CRL, the CRL issuer may or may not be in the certificate certification path –Verify that N CRL < N cert N cert = N cert - 1 –Ignore the end entity certificate for the match Set j = 1 –Set iteration count Set N = Min (N CRl, N cert ) –Set number of DNs to match

13 Path Matching Algorithm: Path Names Matching Logic Verify certpath-subject 0 = CRLpath-subject 0 –Match the trust anchor DNs Do while j ≤ N –Verify certpath-issuer j = CRLpath-issuer j –Verify certpath-subject j = CRLpath-subject j Enddo

14 Path Matching Algorithm: CRL Issuer Name Matching Logic Verify that the Subject DN in the last certificate in the CRL certification path = Issuer Name in the CRL Apply RFC 3280 Section 6.3 logic You still need to apply all certification path validation rules to the CRL certification path

15 Benefits Mitigates Threats: –Microsoft  Orion CA  Chokhani (#10 compromised) –VeriSign  Orion CA (not the same)  CRL (does not have number 10 –Room for mischief or honest error Efficiency in path development for CRL

16 Path Matching Algorithm: Epilogue One way to achieve some of the requirements is to use the requirement to guide the certification path building for CRL This obviates the need for extra logic and makes the CRL certification path development efficient Algorithm presented can be optimized for computational complexity and code foot print –Some checks are redundant –They are listed here to provide a modular and easy to understand algorithm

17 Other CRL Processing Related Points Keep in mind, you always have the CRL before you build the path to it You can build the CRL “certification path” using issuer, subject pairs from the certificate “certification path” –Can be used to build the path in either direction (TA to CRL Issuer or CRL Issuer to TA) You can use AKID in the CRL to select the CRL Issuer certificate

18 Alternative Extension to CRL Path Matching Algorithm: Motivation In lieu of path matching algorithm presented, one can determine if the CRL is from the same CA as the certificate issuer, if –CRL contains keys or hash of keys used by the CA to sign certificates; and –Certificate in question is signed using one of the keys or key hashes asserted (enumerated) in the CRL by the CA claiming to be certificate signing keys –Enhance cryptographic binding between the CRL signing key and certificate signing key

19 Alternative Extension to CRL Path Matching Algorithm A CRL entry extension could be defined that contains the hash of the certificate issuer subjectPublicKeyInfo A CRL extension could be defined containing SEQUENCE of hashes of the certificate issuer subjectPublicKeyInfo –SET may be better from the point of view of matching efficiency If the Issuer certificate signing key hash matches any of these values, the CRL is from the same CA as the certificate Useful for OCSP Responders IDP still defines the scope The assumption that a CA will not be an indirect CRL Issuer for another CA with the same name is reasonable Still need to discover CRL path

20 Problem of Locating CRL Signer Certificate: Direct CRL Example TACA 1 CA 2 Certificate Old Key CA 2 New Key CRL Assumption: Relying party can not access a directory/repository How to find this certificate

21 Problem of Locating CRL Signer Certificate: Indirect CRL Example TACA 1 CA 2 Certificate CAI CRL Assumption: Relying party can not access a directory/repository How to find this certificate

22 Solution: AIA Extension in CRL Solution originator: Stefan Put a non-critical AIA extension in the CRL CRL can be used to locate the CRL signer certificate Requires minor revision to RFC 3280 description of AIA –Replace CA with authority –Make appropriate changes to attribute type for DAP access –Opportunity to clarify the format of AIA target (certificate or p7 file)

23 Circularity in Revocation Checking Issue –What if a certificate whose revocation status is being checked is in the path to verify the signature on the CRL or OCSP response for that same certificate oCan occur with self-issued certificates oCan occur when an OCSP Responder covers all certificates in a PKI Domain Resolution –Provide some guidance in the Security Consideration section of RFC 3280 and RFC 2560 Basis –Checking the revocation status of a certificate via a revocation information whose signature is verified using a certification path involving the very same certificate causes chicken and egg problem oValidating path requires certificate status oObtaining certificate status requires validated path Recommendations –Add text from slide 22 to Security Considerations Section in RFC 3280 –Add text from slide 23 to Security Considerations Section in RFC 2560

24 Alternatives for CRL 1.Say nothing 2.Clarify that a CA is supposed to request revocation of all certificates issued to it when a key associated with self-issued certificate requires revocation 3.Use no-check extension in self-issued certificates 4.Transition from 2 to 3 5.Say something in Security Considerations (selected in order to make no changes to the standard)

25 Alternatives for OCSP Do not appear to be any

26 Text for RFC 3280 Security Consideration Section Revocation status of a certificate must not be checked using a CRL whose signature validation requires that same certificate in the certification path. For example, this may occur in self-issued certificates for key roll over or when a CA issues itself a certificate for CRL signing. A simple way to avoid this for key roll over certificates is to sign two CRLs (one using the old key and another using the new key). A simple way to avoid this for CRL signing key is to have the parent CA issue two certificates or if the CA is a trust anchor, promulgate two trust anchors.

27 Text for RFC 2560 Security Consideration Section Revocation status of a certificate must not be checked using an OCSP Response whose signature validation requires that same certificate in the certification path.

28 Questions

29 Matching IDP in CRL and CRL Distribution Point in Certificate Certificate CRL with IDP DP in IDP = DP in CRL DP CRL with IDP Absent CRL with IDP DP = NULL Partitioned CRL Partitioned CRL by Reason Code and or Certificate Type

30 Circularity in Revocation Checking TACA 1 CA 2 CRL

31 List of Acronyms and Abbreviations CACertification Authority CRLCertificate Revocation List CRL DPCRL Distribution Point DNDistinguished Name IDPIssuing Distribution Point OCSPOnline Certificate Status Protocol PKIPublic Key Infrastructure RFCRequest for Comment TATrust Anchor

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.