2/29/2004Profile-04 open issues draft-ietf-ipsec-pki-profile-04.txt (Potentially) Open Issues Gregory M Lebovitz

Slides:

Advertisements

Similar presentations

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.

Advertisements

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.

CRL Processing Rules Santosh Chokhani November 2004.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.

Review of draft-ietf-sidr-arch-01.txt Steve Kent BBN Technologies.

Lecture 23 Internet Authentication Applications

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

Status report for draft-ietf-ipsec-pki-profile Paul Hoffman, Director VPN Consortium for Brian Korver

Use of AIA for Attribute Certificates

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

DNS-centric PKI Sean Turner Russ Housley Tim Polk.

Trusted Archive Protocol (TAP) Carl Wallace

The Internet IP Security PKI Profile of ISAKMP and PKIX draft-ietf-ipsec-pki-profile-03.txt Brian Korver Eric Rescorla.

VDA Security Services Freeware Libraries Update IETF S/MIME WG 29 March 2000 John Pawling J.G. Van Dyke & Associates (VDA), Inc;

Directories and PKI Keith Hazelton Senior IT Architect, UW-Madison PKI Summit, Snowmass, 9-Aug-01.

Applicability Statement v1.1 Feedback: DirectTrust May 5, 2015.

1 Lecture 11 Public Key Infrastructure (PKI) CIS CIS 5357 Network Security.

Before I stated the database I had to save it into My Documents> ICT> You can do it> D201EPORTFOLIO> Evidence For the field group food item, I set the.

Trust Anchor Management Problem Statement 69 th IETF Trust Anchor Management BOF Carl Wallace.

XML Signature Prabath Siriwardena Director, Security Architecture.

Slide title In CAPITALS 50 pt Slide subtitle 32 pt SEND Certificate Profile draft-krishnan-cgaext-send-cert-eku-02 Suresh Krishnan Ana Kukec Khaja Ahmed.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

11/10/2003Pki4ipsec-nov03-agenda BOF Profiling Use of PKI in IPsec pki4ipsec Chairs: Gregory M Lebovitz Steve.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

Monthly Publishing System (MPS) Developer Workshop 25 August, 2015.

July 16, Diameter EAP Application (draft-ietf-aaa-eap-02.txt) on behalf of...

CDB Chris Bonatti (IECA, Inc.) Tel: (+1) Proposed PKI4IPSEC Certificate Management Requirements Document IETF #59 – PKI4IPSEC Working.

The OpenPGP Standard Jonathan Callas Senior Security Consultant Kroll-O’Gara ISG.

A Brief Overview of draft-ietf-sidr-cp-01.txt draft-ietf-sidr-cps-rirs-01.txt draft-ietf-sidr-cps-isp-00.txt Steve Kent BBN Technologies.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

1 PKI Disaster Recovery and Key Rollover Bull S.A.S.

1 SeGW Certificate profile (Revised) 3GPP2 TSG-S WG4 /TSG-X WG5 (PDS) S X xx Source: QUALCOMM Incorporated Contact(s): Anand.

Security in ebXML Messaging CPP/CPA Elements. Elements of Security P rivacy –Protect against information being disclosed or revealed to any entity not.

Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.

Building trust on the internet Extending Attribute Protocols for Status Management and “Other Things” Patrick Richard, Xcert International.

Path Construction “It’s Easy!” Mark Davis. Current WP Scope u Applications that make use of public key certificates have to validate certificate paths.

“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.

Slide title In CAPITALS 50 pt Slide subtitle 32 pt SEND Certificate Profile draft-krishnan-cgaext-send-cert-eku-01 Suresh Krishnan Ana Kukec Khaja Ahmed.

SonOf3039 Status Russ Housley Security Area Director.

EMU and DANE Jim Schaad August Cellars. EMU TLS Issues Trust Anchor Matching PKIX cert to EMU Server Name Certificate Revocation Checking – CRLs – OCSP.

1 draft-sidr-bgpsec-protocol-05 Open Issues. 2 Overview I received many helpful reviews: Thanks Rob, Sandy, Sean, Randy, and Wes Most issues are minor.

1 Certification Issue : how do we confidently know the public key of a given user? Authentication : a process for confirming or refuting a claim of identity.

LDAP for PKI Problems Cannot search for particular certificates or CRLs Cannot retrieve particular certificates or CRLs.

1 Public Key Infrastructure Dr. Rocky K. C. Chang 25 February, 2002.

Shibboleth 1.2 Technical Overview “So you thought 1.1 was complicated…” Scott Cantor The Ohio State University and Internet2 Scott Cantor.

CDB Chris Bonatti (IECA, Inc.) Tel: (+1) Proposed PKI4IPSEC Certificate Management Requirements Document IETF #60 – PKI4IPSEC Working.

Profiling Use of PKI in IPsec (pki4ipsec) Date: Monday, Mar 7, 2005 at Location: Rochester room Chairs: Paul Knight Gregory Lebovitz Mail list:

Trust Anchor Update Requirements for DNSSEC Russ Mundy for the editors Steve Crocker, Howard Eland, Russ Mundy.

Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.

Bakeoff Summary Jari Arkko, Ericsson Arne Dybdahl, SSH August 17 th, 2001.

Dynamic/Deferred Document Sharing (D3S) Profile for 2010 presented to the IT Infrastructure Technical Committee Karen Witting February 1, 2010.

Discovery of CRL Signer Certificate Stefan Santesson Microsoft.

Draft-dploy-requirements-00 Overview: draft-dploy-requirements-00 Gregory M Lebovitz pki4ipsec BOF.

Key Rollover for the RPKI Steve Kent (Channeling Geoff Huston )

OGF PGI – EDGI Security Use Case and Requirements

Goals of soBGP Verify the origin of advertisements

Security in ebXML Messaging

Resource Certificate Profile

ROA Content Proposal November 2006 Geoff Huston.

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006

BPSec: AD Review Comments and Responses

The devil is in the details

Enterprise Use Cases and A-Level Attestation

Presentation transcript:

2/29/2004Profile-04 open issues draft-ietf-ipsec-pki-profile-04.txt (Potentially) Open Issues Gregory M Lebovitz

2/29/2004Profile-04 open issues Overview NAT-T considerations? Certificate Type? PKI Life Cycle Stuff pass in-band? Critical Bit? 2401bis sync’ing? CDP / AIA ?

2/29/2004Profile-04 open issues NAT-T How or Does NAT-T stuff affect us? Owner to write text and own this part of the document?

2/29/2004Profile-04 open issues Certificate Type? PKIX? –Signing? DNSsec signed stuff? PGP? Kerberos? SPKI Certificates? PKIX Attribute Certificates? PROPOSAL: –PKIX x.509 w/ RSA with SHA-1. DONE.

2/29/2004Profile-04 open issues PKI LifeCycle Stuff In-Band? CRLs? Intermediate Certs? Trust Anchors? Other revocation information?

2/29/2004Profile-04 open issues LifeCycle Stuff - PROPOSAL Philosophy: –Put all life cycle stuff in its own bucket, out of band of IKE, as a rule. It will be handled in charter items [2] and [3] –Minimize fragmentation and bloat to avoid UDP frag (FW’s choke on it) –Neither v1 nor v2 has adequate expression for querying detailed PKI elements, for revocation and intermediate certs. Proposal - MUST NOT REQUEST or SEND: –CRLs –Trust Anchors –Intermediate Certs –other revocation info

2/29/2004Profile-04 open issues Critical Bit Issue: –How do we handle critical extensions, if marked critical? –Drop or don’t drop if you don’t understand it Options

2/29/2004Profile-04 open issues 2401bis Sync’ing? SPD –Matching for cipher suite proposal –Pull from IKE_ID, and lookup for SPD match –Match to appropriate cert contents for validation of presented ID. PAD –Use anything else you want in cert or ID to lookup authorization, and do AAA

2/29/2004Profile-04 open issues CDP / AIA Inclusion? SHOULD? MUST? Not at all? Push to [2] and [3]? PROPOSAL –SHOULD send, MUST be able to process upon receipt –MUST accept certs w/o it

2/29/2004Profile-04 open issues KU & EKU Handling Background –CAs aren’t flexible enough with what they do/don’t allow to be configured for (E)KU. Therefore, we can’t depend on it. PROPOSAL: –Put whatever you want or nothing, it doesn’t matter. We will ignore it all together. –Receiver – Ignore it all together

2/29/2004Profile-04 open issues Others? Come to Microphone

2/29/2004Profile-04 open issues Let’s rev and go to WG last call!