MPKI Interoperability I-D ChangeLog from -01 to -02 Jan 16, 2004 Masaki SHIMAOKA SECOM Trust.net.

Slides:



Advertisements
Similar presentations
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
Advertisements

PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.
Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.
Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.
Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Public Key Management and X.509 Certificates
Review of draft-ietf-sidr-arch-01.txt Steve Kent BBN Technologies.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
MPKI Interoperability I-D ChangeLog from -00 to -01 Oct 27, 2003 Masaki SHIMAOKA SECOM Trust.net.
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
SMUCSE 5349/7349 Public-Key Infrastructure (PKI).
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
1 Memorandum for multi-domain PKI interoperability multidomain-pki-00.txt
National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka
APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report.
Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.
CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Certificate Path Building draft-ietf-pkix-certpathbuild-01.txt Peter Hesse Matt Cooper Yuriy Dzambasow Susan Joseph Richard Nicholas.
9/20/2000www.cren.net1 Root Key Cutting and Ceremony at MIT 11/17/99.
Configuring Active Directory Certificate Services Lesson 13.
Status Update for Algorithm Transition for the RPKI (draft-ietf-sidr-algorithm-agility) Steve Kent Roque Gagliano Sean Turner.
1 Lecture 11 Public Key Infrastructure (PKI) CIS CIS 5357 Network Security.
RFC 3039 bis Qualified Certificates Profile Changes from RFC 3039.
Trust Anchor Management Problem Statement 69 th IETF Trust Anchor Management BOF Carl Wallace.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
HEPKI-TAG UPDATE Jim Jokl University of Virginia
Java Security Pingping Ma Nov 2 nd, Overview Platform Security Cryptography Authentication and Access Control Public Key Infrastructure (PKI)
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.
Lecture 5.3: Key Distribution: Public Key Setting CS 436/636/736 Spring 2012 Nitesh Saxena.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
Bridge Certification Architecture A Brief Demo by Tim Sigmon and Yuji Shinozaki June, 2000.
HEPKI-PAG Policy Activities Group David L. Wasley University of California.
CDB Chris Bonatti (IECA, Inc.) Tel: (+1) Proposed PKI4IPSEC Certificate Management Requirements Document IETF #59 – PKI4IPSEC Working.
A Brief Overview of draft-ietf-sidr-cp-01.txt draft-ietf-sidr-cps-rirs-01.txt draft-ietf-sidr-cps-isp-00.txt Steve Kent BBN Technologies.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian
Update on PKI Activities in the Spanish Academic Network PKI-COORD November 26, Amsterdam.
1 PKI Disaster Recovery and Key Rollover Bull S.A.S.
1 SeGW Certificate profile (Revised) 3GPP2 TSG-S WG4 /TSG-X WG5 (PDS) S X xx Source: QUALCOMM Incorporated Contact(s): Anand.
By Umair Ali. Dec 2004Version 1 -PKI - a security architecture – over the internet. -Provides an increased level of confidence for exchanging information.
© 2003 The MITRE Corporation. All rights reserved For Internal MITRE Use Addressing ISO-RTO e-MARC Concerns: Clarifications and Ramifications Response.
Jimmy C. Tseng Assistant Professor of Electronic Commerce
“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.
UTF8String Deployment Status and Migration Plan Akira KANAOKA Challenge PKI Project Japan Network Security Association Sponsored by IT Promotion Agency,
User Interface Requirement for the Internet X.509 PKI Jaeho Yoon (on behalf of Tae K. Choi) KOREA INFORMATION SECURITY AGENCY August 4, 2004.
Bridge Certification Architecture A Brief Overview by Tim Sigmon May, 2000.
1 APNIC Trial of Certification of IP Addresses and ASes RIPE October 2005 Geoff Huston.
NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.
Wed 24 Mar 2010SIDR IETF 77 Anaheim, CA1 SIDR Working Group IETF 77 Anaheim, CA Wednesday, Mar 24, 2010.
Comments on draft-ietf-pkix-rfc3280bis-01.txt IETF PKIX Meeting Paris - August 2005 Denis Pinkas
1 Public Key Infrastructure Dr. Rocky K. C. Chang 25 February, 2002.
1 Public Key Infrastructure Rocky K. C. Chang 6 March 2007.
Higher Education Bridge Certification Authority Scaleable Linking of PKI trust domains Scaleable Linking of PKI trust domains David L. Wasley Fall 2006.
TR-GRID CA Self-Auditing Results and Status Update EUGridPMA Meeting September 12-14, 2011 Marrakesh Feyza Eryol, Onur Temizsoylu TUBITAK-ULAKBIM
Key Rollover for the RPKI Steve Kent (Channeling Geoff Huston )
Framework on Key Compromise, Key Loss & Key Rollover
Public Key Infrastructure (PKI)
Trust Anchor Management Problem Statement
Cryptography and Network Security
Public Key Infrastructure Using X.509 (PKIX) Working Group
Resource Certificate Profile
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006
Presentation transcript:

mPKI Interoperability I-D ChangeLog from -01 to -02 Jan 16, 2004 Masaki SHIMAOKA SECOM Trust.net

Abstracts of this I-D This memo is used to share the awareness necessary to deployment of multi-domain PKI. Scope of this memo is to establish trust relationship and interoperability between plural PKI domains. Both single-domain PKI and multi-domain PKI are established by the trust relationships between CAs. Typical and primitive PKI models are specified as single-domain PKI. Multi-domain PKI established by plural single-domain PKI is categorized as multi-trust point model and single-trust point model. Multi-trust point model is based on trust list model, and single-trust point model is based on cross-certification.

I-D contents 1 Introduction 2 Requirements and Assumptions 3 Trust Relationship 4 PKI Domain 5 Single-domain PKI 6 multi-domain PKI 7 Security Considerations 8 References 9 Acknowledgements 10 Author's Address 11 Full Copyright Statement

Previous working items To sort an intentional model and a non- intentional model  Authority Trust List model and Mesh model MAY be non-intentional model. To consider Trust list model again  Most actual Trust list model does not use policyId. To select appropriate term  trusty PKI domain and trusted PKI domain  trusted third CA  Top CA in Super Domain model To Maintain the remaining TBD items MUST collect more comments and review! Describe to considerations of each model 3.1.2, 5.3 Revise terminology and security considerations 2.2, 6.1 or 7.4 Revise amd add terminology 2.2, 6.2.2, To Be Continued!

CHANGES

Wording policy, security policy -> certificate policy super domain model -> unified domain model trusty -> trusting

2.2 Terminology Trusting domain/CA (re-defined)  Domain/CA that trusts a certain domain/CA Trusted domain/CA (re-defined)  Domain/CA that is trusted from a certain domain/CA Unificate CA (new)  Issues unilateral cross-certs to other domains  Specified as a trust point for all cross-certified domain Unified domain model (re-defined)  Obsolete super-domain model Trusted third CA (modified)  Trusted third party for each domains  Using for Hub model and Unified domain model

2.2 Terminology (cont ’ d) PKI domain (modified)  MUST more than one principal CA  SHOULD more than one common certificate policy domain policy (modified)  common certificate policy (OID) shared in PKI domain  be used to distinguish each PKI domain Relying Party (modified)  relying party MUST have a set of trust anchors and MAY have a set of acceptable certificate policies.

2.2 Terminology (cont ’ d) Public PKI (new)  PKI using the trust point that is registered without user's clear agreement. certificate store managed by OS or each applications Web browser using its embedded root certificate for SSL/TLS is typical model of this. Private PKI (new)  PKI using the trust point that is registered with user's clear agreement. Generally, all trust point registration require clear user's agreement. In Private PKI, each PKI domain MUST have a domain policy.

3.1 Trust List 3.1 Trust list  Considerations (new) Finding out a revocation of each trust point is more difficult than single-trust point model Authority Trust List  Definition (add) Trust list MAY issue plural trust list for some purpose or some parties.  Considerations (add) No standard to use this model Just theory for comparison with User Trust List.

3.2 Cross-Certification Considerations (added)  When update the Cross-Certificate Considerations for crossCertificatePair updating to modify certificate contents  certificate policies, subjectAltName, etc.  When update CA keypair Considerations in whether the CA issues self-issued certificate for key rollover  When compromise the keypair of subject CA Revoke the cross-cert and remove cross-cert pair from repository

4 PKI domain separate two requirements  minimum requirements to establish PKI domain  additional requirements for multi-domain PKI interoperability

5.3 Mesh PKI model Considerations (add)  to Determine principal CA  SHOULD NOT be designed intentionally

6.1 Multi-Trust point model Considerations (added)  Format of Trust list including validation paremeters has no standard.  Public PKI uses trust list without domain policy. SHOULD NOT use policy control, also  Revocation checking for all trust points. Each CAs SHOULD announce, if it is revoked Based on Authority Trust List  This memo does not recommend using this model

6.2.3 Hub model Requirements for Hub model (modify)  define policy mapping minutely

7 Security Considerations 7.1 Certificate and CRL profile  MUST comply with RFC Public PKI and Private PKI (new)  Public PKI more important for interoperability with current certification path No domain policy Do not assume policy control in certification path  Private PKI more strict path validation because it is used for critical transaction.  Certificate used for both certificate policies extension SHOULD be non-critical. In Public PKI, RP SHOULD NOT require policy control In Private PKI, RP MAY require policy control

7 Security Considerations 7.1 Certificate and CRL Profile (add)  MUST comply with RFC Public PKI and Private PKI (modify)  Public PKI more important for interoperability with current existing certification path No domain policy Do not assume policy control in certification path  Private PKI more strict path validation because it is used for critical transaction  Certificate used for both certificate policies extension SHOULD be non-critical In Public PKI, RP SHOULD NOT require policy control In Private PKI, RP MAY require policy control

7 Security Considerations (cont ’ d) Hybrid Trust model (added)  Actual model MAY be hybrid trust model.  PKI domain X -> PKI domain Y: User Trust List  PKI domain X <- PKI domain Y: Cross-Certification Asymmetric policy mapping (added)  Loop of certification path MAY derive unforeseen security hole  Such certification path MUST NOT be allowed same DN appears twice on one certification path same DN appears non-continuously on one certification path

Future Plan ’03 Dec  Now release -02 ’04 Jan  Review ’04 Feb  will release -03 reflected review ’04 Mar  59 th IETF  Poll to Last Call for this I-D ’04 Apr  will release -04 reflected review in PKIX ML  To Recommend standardization this I-D to IESG with AD and WG chairs. ’04 Aug  60 th IETF  To hope status is Last Call until 60th IETF!

Related Resources Challenge PKI homepage  Multi-domain PKI interoperability Framework   This newest I-D is available here linked.  This site is also repository of this I-D for minor update.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.