PKIF TWG Report 29 June 2000 Mark Davis Andrew Nash et al.

Slides:



Advertisements
Similar presentations
2 Introduction A central issue in supporting interoperability is achieving type compatibility. Type compatibility allows (a) entities developed by various.
Advertisements

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
S&I Framework Provider Directories Initiative esMD Work Group October 19, 2011.
Password? CLASP Project Update C5 Meeting, 16 June 2000 Denise Heagerty, IT/IS.
MPKI Interoperability I-D ChangeLog from -01 to -02 Jan 16, 2004 Masaki SHIMAOKA SECOM Trust.net.
MPKI Interoperability I-D ChangeLog from -00 to -01 Oct 27, 2003 Masaki SHIMAOKA SECOM Trust.net.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Tim Polk, NIST PKI Overview Tim Polk, NIST
13 Sept 00 Token Interoperability and Portability Project status report John Hughes Montreal - 14 September 00.
Interoperation Between a Conventional PKI and an ID-Based Infrastructure Geraint Price Royal Holloway University of London joint work with Chris Mitchell.
Security and Policy Enforcement Mark Gibson Dave Northey
NextGRID & OGSA Data Architectures: Example Scenarios Stephen Davey, NeSC, UK ISSGC06 Summer School, Ischia, Italy 12 th July 2006.
Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.
DNS-centric PKI Sean Turner Russ Housley Tim Polk.
9/20/2000www.cren.net1 Root Key Cutting and Ceremony at MIT 11/17/99.
Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.
Clinic Security and Policy Enforcement in Windows Server 2008.
The Design Discipline.
Best Practices Working Group June 19-21, 2001 Munich, Germany.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
Members Meeting December, 2000 Sydney. Sydney Meeting u 73 Attendees u Day 1 Plenary provided valuable input for the working groups u 5 working groups.
The Windows NT ® 5.0 Public Key Infrastructure Charlie Chase Program Manager Windows NT Security Microsoft Corporation.
Technical Working Group June 2001 Andrew Nash Steve Lloyd.
SAMANVITHA RAMAYANAM 18 TH FEBRUARY 2010 CPE 691 LAYERED APPLICATION.
Java Security Pingping Ma Nov 2 nd, Overview Platform Security Cryptography Authentication and Access Control Public Key Infrastructure (PKI)
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Configuring Directory Certificate Services Lesson 13.
Proposal for device identification PAR. Scope Unique per-device identifiers (DevID) Method or methods for authenticating that device is bound to that.
Requirements Traceability: Planning, Tracking and Managing Requirements Presenter: Paula R. Maychruk, BV/TEd., CAPM, CBAP.
Certificate revocation list
Communications-Electronics Security Group. PKI interoperability issues for UK Government Richard Lampard
Technical Working Group December 2000 Mark Davis Andrew Nash.
SWIM-SUIT Information Models & Services
Bridge Certification Architecture A Brief Demo by Tim Sigmon and Yuji Shinozaki June, 2000.
Digital Signatures A Brief Overview by Tim Sigmon April, 2001.
Module 9: Fundamentals of Securing Network Communication.
Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.
NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.
1 DHCP Authentication Discussion INTAREA meeting, 70th IETF Vancouver, Canada Jari Arkko and Ralph Droms.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian
The Distribution Online Vending Pilot Project Demo Testing Certificate Management Kennedy P Subramoney 23 July 2004.
SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.
© 2005 Open Mobile Alliance Ltd. All Rights Reserved. Used with the permission of the Open Mobile Alliance Ltd. under the terms as stated in this document.
Path Construction “It’s Easy!” Mark Davis. Current WP Scope u Applications that make use of public key certificates have to validate certificate paths.
CMP Presentation Stephen Farrell Baltimore Technologies.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Authorization GGF-6 Grid Authorization Concepts Proposed work item of Authorization WG Chicago, IL - Oct 15 th 2002 Leon Gommans Advanced Internet.
Module 13: Enterprise PKI Active Directory Certificate Services (AD CS)
Technical Support to SOA Governance E-Government Conference May 1-2, 2008 John Salasin, Ph.D. DARPA
Some Technical Issues in PKI Deployment David Chadwick
Status Report SIDR and Origination Validation Geoff Huston SIDR WG, IETF 71 March 2008.
Libpkix & CertPath: Bringing High Quality Certificate Handling to the Masses PKI Higher Education Summit July 14, 2004 Steve Hanna, Sun Microsystems, Inc.
LDAP Whitepaper JAWS Technologies. LDAP Whitepaper u Purposes –Identify problem areas with the use of LDAP within PKI –Identify standards and practices.
1 Public Key Infrastructure Rocky K. C. Chang 6 March 2007.
CDB Chris Bonatti (IECA, Inc.) Tel: (+1) Proposed PKI4IPSEC Certificate Management Requirements Document IETF #60 – PKI4IPSEC Working.
and LMAP liaison Document Number: IEEE R0 Date Submitted: Source: Antonio BovoVoice:
Application Cert Interop Project David Crowe PKI Forum, Jun 2001, Munich, Germany.
SCEP Simple Certificate Enrollment Protocol.
NPSTC is a federation of organizations whose mission is to improve public safety communications and interoperability through collaborative leadership.
Draft-dploy-requirements-00 Overview: draft-dploy-requirements-00 Gregory M Lebovitz pki4ipsec BOF.
Reference Architecture for NASA’s Earth Science Data Systems Richard Ullman ES-DSWG-SPG Chair NASA/GSFC Code 586.
Public Key Infrastructure Using X.509 (PKIX) Working Group
June 28, 2000 Robert Moskowitz CMP Interop Project June 28, 2000 Robert Moskowitz
Web Services Interoperability Organization
SAMANVITHA RAMAYANAM 18TH FEBRUARY 2010 CPE 691
Interoperability Test Message Patterns for IEC
Tim Polk, NIST PKI Program Manager March 2000
Update on BRSKI-AE – Support for asynchronous enrollment
Presentation transcript:

PKIF TWG Report 29 June 2000 Mark Davis Andrew Nash et al

Points of Interest u PKI Bench from Entegrity u Why we are starting at 8:30 …

Management Protocols u Intent to give an overview and understanding of protocols u Decision considerations u Presenters: –SCEP – Bob Moskowitz –CMP – Stephen Farrell –CMC – Michael Myers

Lifecycle Protocols – SCEP u Put certificates in devices without Web browsers u IETF Draft, no activity u Cisco reference implementation in progress u Q How accurate is implementation to spec? –A interoperation from spec observed

Lifecycle Protocols – CMP u PKIX certificate management u Comprehensive for key and lifecycle management (11 operations) u High level of flexibility (EE-RA-RA-CA!) u CRMF split out for reuse with CMC u Version 2 based on Interoperability testing results

Lifecycle Protocols – CMC u Reuse as much as possible of S/MIME library –Small footprint for PDAs, phones etc. u Alternative to CMP based on PKCS 7/10 using Cisco work u Uses CRMF u Other requirements: single round trip certificate requests, client side key generation u Server side generation is possible u Similar functionality between between CMC/CMP

Lifecycle Protocols – Panel Discussion Summary u Panel Consensus: –SCEP is tactical and targeted at routers –CMP and CMC are functionally equivalent –CMP and CMC are suitable for the same application domains –Applications may choose between CMP and CMC – PKI vendors should support both

Interoperability White Paper u Lead: Bob Moskowitz u Abstract Identify barriers to interoperability between PKI components. Provide a framework for future efforts to address these issues. Document issues for implementers. The initial framework will rely on the separation based on applications, components and enterprise relationships.

Interoperability White Paper u Authors –Bob Moskowitz, Frederik Loeckx, Francois Rousseau, John Hughes, Steve Lloyd u Work Plan Solicit Inputearly July Divide Workmid July Write Draftlate Summer Review DraftSeptember (Montreal)

Path Construction White Paper u Lead: Stephen Farrell u Abstract Applications that make use of public key certificates have to validate certificate paths. Before validating a certificate path, it is first necessary to construct that path. This means finding a set of certificates that appears to chain up to a trust point. This white paper describes issues that implementers of PKI technology have to face when developing certificate path construction code, for example, considering issues with different sources of certificates (LDAP, databases etc) and how to avoid "loops".

Path Construction White Paper u Authors: Stephen Farrell, Steve Koehler, Michael Myers, Tim Polk, Steve Lloyd u Work Plan Solicit Inputearly July Divide Workmid July Write Draftlate Summer Review DraftSeptember (Montreal)

LDAP White Paper u Lead: Aidan O’Brien u Abstract: Survey the problems associated with PKI interactions with LDAP and directories. Identify issues where existing standards and practices are insufficient and what partial solutions exist. Lay a foundation to assist in prioritizing future work on the use of LDAP within PKI.

LDAP White Paper u Authors: Aidan O’Brien, Gordon Buhle, Dave Bachmann, Nada Kapidzic Cicovic, Jean Pawluk u Work plan Solicit ParticipationJune Agree on PurposeJuly Collect issue contributionsJuly Review DraftAugust Publish White PaperSeptember

Working Session (1/2) u Report on Business Work Group and Technical Work Group Relationship u Application Certificates –Stay on current script approach –Need volunteer for “standard” certificates library –Data presentation – Sheet per application/PKI pair –An additional Face to Face workshop is desired, but may be difficult to schedule

Working Session (2/2) u Certificate Validation –IETF WG revisiting requirements and protocols –Schedule presentation by IETF contributors in Montreal u B2B Protocols –Some standardization work –Deployment may be difficult –Work required by PKIF unclear u LDAP (from CMP interop discussion) –Multiple problems –Varying definition –Address these issues as part of LDAP white paper –Follow definition of work expected

Montreal Topics u Review work in progress –Demonstration planning (needs input from BWG) u IETF Remote Path Processing u Review outcomes from LDAP white paper u Further B2B Application discussion

Lifecycle Protocols – General Discussion u Smart Card requirements and support u What Domains does each protocol address –SCEP – tactical for in devices now that don’t have browsers SCEP is routers –CMP and CMC similar domains CMC with broad input CMC may have advantage on PDA’s –In IPSEC environment, how do CMC and CMP u Suitability of CMC and CMP for store and forward POP requires multiple round trip u Automatic cross certification of debatable use May need better definition of terms (BWG is working on one) u Implementation status “VeriSign is willing to support any protocol that shows emergence in the marketplace.” Andrew Nash – “An issue of leadership.” u Is storing certificate in LDAP part of the Life Cycle Management protocol May be policy statement outside lifecycle management protocol Must be specified in some terms for implementation of EE Awareness will impact implementation PKIF TWG may want to take this on u What should a PKIF do with SCEP and CMC SCEP not do anything about SCEP Should do CMC interop, scenarios, service providers should provide both, EE select