MPKI Interoperability I-D ChangeLog from -00 to -01 Oct 27, 2003 Masaki SHIMAOKA SECOM Trust.net.

Slides:



Advertisements
Similar presentations
PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.
Advertisements

Status of Extensible SCCS-SM Concept Green Book 12 February
Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.
Copyright Judith Spencer This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
MPKI Interoperability I-D ChangeLog from -01 to -02 Jan 16, 2004 Masaki SHIMAOKA SECOM Trust.net.
Uncle Sam, Meet The PKI! Richard Guida Chair, Federal PKI Steering Committee Michèle Rubenstein Department of the Treasury,
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
1 Memorandum for multi-domain PKI interoperability multidomain-pki-00.txt
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.
Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.
Certificate Path Building draft-ietf-pkix-certpathbuild-01.txt Peter Hesse Matt Cooper Yuriy Dzambasow Susan Joseph Richard Nicholas.
9/20/2000www.cren.net1 Root Key Cutting and Ceremony at MIT 11/17/99.
Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
Java Security Pingping Ma Nov 2 nd, Overview Platform Security Cryptography Authentication and Access Control Public Key Infrastructure (PKI)
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.
Bridge Certification Architecture A Brief Demo by Tim Sigmon and Yuji Shinozaki June, 2000.
HEPKI-PAG Policy Activities Group David L. Wasley University of California.
LDAP Items
CDB Chris Bonatti (IECA, Inc.) Tel: (+1) Proposed PKI4IPSEC Certificate Management Requirements Document IETF #59 – PKI4IPSEC Working.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Update on PKI Activities in the Spanish Academic Network PKI-COORD November 26, Amsterdam.
1 SeGW Certificate profile (Revised) 3GPP2 TSG-S WG4 /TSG-X WG5 (PDS) S X xx Source: QUALCOMM Incorporated Contact(s): Anand.
Jimmy C. Tseng Assistant Professor of Electronic Commerce
The Federal PKI Or, How to Herd Worms Peter Alterman Senior Advisor, Federal PKI Steering Committee.
Path Construction “It’s Easy!” Mark Davis. Current WP Scope u Applications that make use of public key certificates have to validate certificate paths.
WG Document Status 192nd IETF TEAS Working Group.
Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.
“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.
NEMO Re-chartering IETF 67 – November 9, 2006 T.J. Kniveton.
UTF8String Deployment Status and Migration Plan Akira KANAOKA Challenge PKI Project Japan Network Security Association Sponsored by IT Promotion Agency,
Bridge Certification Architecture A Brief Overview by Tim Sigmon May, 2000.
SonOf3039 Status Russ Housley Security Area Director.
Electronic Security and PKI Richard Guida Chair, Federal PKI Steering Committee Chief Information Officers Council
1 Public Key Infrastructure Rocky K. C. Chang 6 March 2007.
Diameter SIP Application
LMAP WG IETF 90, TORONTO, CA Dan Romascanu Jason Weil.
Internet and Management Support for Storage (IMSS) Working Group Elizabeth Rodriguez, Chair Charter: Subscribe.
CDB Chris Bonatti (IECA, Inc.) Tel: (+1) Proposed PKI4IPSEC Certificate Management Requirements Document IETF #60 – PKI4IPSEC Working.
Profiling Use of PKI in IPsec (pki4ipsec) Date: Monday, Mar 7, 2005 at Location: Rochester room Chairs: Paul Knight Gregory Lebovitz Mail list:
Higher Education Bridge Certification Authority Scaleable Linking of PKI trust domains Scaleable Linking of PKI trust domains David L. Wasley Fall 2006.
Interoperability and the Evolving Federal PKI Richard Guida, P.E. Member, Government Information Technology Services Board Chair, Federal PKI Steering.
OGSA-WG Basic Profile Session #1 Security
<workgroup name>
OmniRAN Introduction and Way Forward
Public Key Infrastructure Using X.509 (PKIX) Working Group
Migration-Issues-xx Where it’s been and might be going
Resource Certificate Profile
Gantt Chart Enter Year Here Activities Jan Feb Mar Apr May Jun Jul Aug
Free PPT Diagrams : ALLPPT.com
Bourke properties Houston, Whitney relocation info 23/02/2019.
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006
OmniRAN Introduction and Way Forward
Text for section 1 1 Text for section 2 2 Text for section 3 3
Text for section 1 1 Text for section 2 2 Text for section 3 3
Text for section 1 1 Text for section 2 2 Text for section 3 3
Text for section 1 1 Text for section 2 2 Text for section 3 3
Free PPT Diagrams : ALLPPT.com
Text for section 1 1 Text for section 2 2 Text for section 3 3
Text for section 1 1 Text for section 2 2 Text for section 3 3
Text for section 1 1 Text for section 2 2 Text for section 3 3
Text for section 1 1 Text for section 2 2 Text for section 3 3
Text for section 1 1 Text for section 2 2 Text for section 3 3
Text for section 1 1 Text for section 2 2 Text for section 3 3
Potential Minor Release Drop 4 Timeline & Scope
Presentation transcript:

mPKI Interoperability I-D ChangeLog from -00 to -01 Oct 27, 2003 Masaki SHIMAOKA SECOM Trust.net

2 Abstracts of this I-D This memo is used to share the awareness necessary to deployment of multi-domain PKI. Scope of this memo is to establish trust relationship and interoperability between plural PKI domains. Both single-domain PKI and multi-domain PKI are established by the trust relationships between CAs. Typical and primitive PKI models are specified as single-domain PKI. Multi-domain PKI established by plural single-domain PKI is categorized as multi-trust point model and single-trust point model. Multi-trust point model is based on trust list model, and single- trust point model is based on cross-certification.

3 I-D contents 1 Introduction 2 Requirements and Assumptions 3 Trust Relationship 4 PKI Domain (new) 5 Single-domain PKI 6 multi-domain PKI 7 Security Considerations 8 References 9 Acknowledgements 10 Author's Address 11 Full Copyright Statement

4 CHANGES Add the figures Structure of multi-domain PKI Each PKI model Terminology and Assumptions Modify some terminology Assumptions for Repository Define PKI Domain Add new section Modify a definition of some PKI model Cross-Certification model Subordination model Hub model Consider for trusted third CA Trusted Third CA in Hub model and Super domain model Security Considerations Certificate and CRL Profile Asymmetric problem

5 1. Structure of multi-domain PKI | PKI domain | | | Domain-Domain | | | | Trust | | | | Relationship | | | | PCA | | PCA | | | | | ^ | | | CA-CA Trust | | | Relationship | | v | | | | | CA | | | |

6 2. Requirements & Assumptions Modified Terminology See actual I-D. Assumptions for Repository Repository is necessary to support a certification path This I-D does not specify whether HTTP or LDAP.

7 3 Trust relationship 3.2 Cross-Certification Change the self-signed cert requirement of the CA issuing the cross-cert from SHOULD to MUST Add how to store the cross-certificate in the directory server 3.3 Subordination Add the considerations for that the sub CA issues a self-signed cert

8 4 PKI domain 4.1 Requirements for PKI domain Set of PKIs shared more than one common policy No need policyId of the common policy 4.2 Risk Analysis of PKI domain problem depending on lack of policyId 4.3 Requirements for multi-domain PKI More requirements for multi-domain PKI

9 6 multi-domain PKI Hub model Add requirements in the detail Especially Bridge CA requirements Considerations for trusted third CA Trusted Third CA Bridge CA in Hub model Top CA in Super domain model Considerations for trusted third CA in multi- domain PKI

10 7 Security Considerations Certificate and CRL profile critical-flag of extensions for local PKI domain Asymmetric problem Hybrid trust model X to Y: cross-certification model Y to X: trust list model Asymmetric policy mapping X to Y: X.1:=Y.1 Y to X: Y.1 := X.2 CA-XCA-Y CrossCert Trust List CA-XCA-Y X.1 := Y.1 Y.1 := X.2 CA-A CA-B A.1 := X.1 X.2 := B.1 SHALL CA-A trust CA-B?

11 Working Items To sort an intentional model and a non-intentional model Authority Trust List model and Mesh model MAY be non- intentional model. To consider Trust list model again Most actual Trust list model does not use policyId. To select appropriate term trusty PKI domain and trusted PKI domain trusted third CA Top CA in Super Domain model To Maintain the remaining TBD items MUST collect more comments and review! All items will be fixed in -02.

12 Future Plan ’ 03 Nov 58 th IETF To Discuss with AD and WG chairs the necessity to publish this BCP. Call Reviewer ’ 03 Dec will release -02 ’ 04 Jan Review by Reviewer ’ 04 Feb will release -03 reflected review ’ 04 Mar 59 th IETF Poll on PKIX ML ’ 04 Apr will release -04 reflected review in PKIX ML To Recommend standardization this I-D to IESG with AD and WG chairs. ’ 04 Aug 60 th IETF To hope status is Last Call until 60th IETF!

13 Related Resources Challenge PKI homepage Multi-domain PKI interoperability Framework Newest this I-D is available here linked. This site is also repository of this I-D for minor update.