Use of AIA for Attribute Certificates

Slides:

Advertisements

Similar presentations

Introduction of Grid Security

Advertisements

Local TA Management A TA is a public key and associated data used as the starting point for certificate path validation It need not be a self-signed certificate.

© ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit.. Page - 1 Seminar on Standardization and ICT Development for the Information.

CS 5511 Introduction to WS Authorization Brian P. Barrett.

CS5204 – Operating Systems 1 Authentication. CS 5204 – Operating Systems2 Authentication Digital signature validation proves:  message was not altered.

CRL Processing Rules Santosh Chokhani November 2004.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.

COEN 350 Public Key Infrastructure. PKI Task: Securely distribute public keys. Certificates. Repository for retrieving certificates. Method for revoking.

Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Public Key Management and X.509 Certificates

Secure Information Sharing Using Attribute Certificates and Role Based Access Control Ganesh Godavari, C. Edward Chow 06/22/2005 University of Colorado.

Report on Attribute Certificates By Ganesh Godavari.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.

Wednesday, June 03, 2015 © 2001 TrueTrust Ltd1 PERMIS PMI David Chadwick.

The EC PERMIS Project David Chadwick

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.

CS526 – Advanced Internet And Web Systems Semester Project Public Key Infrastructure (PKI) By Samatha Sudarshanam.

21 June 2006Copyright 2006 University of Kent1 Delegation of Authority (DyVOSE project) David Chadwick University of Kent.

CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

Security Management.

1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

Online AAI José A. Montenegro GISUM Group Security Information Section University of Malaga Malaga (Spain) Web:

APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)

1 Lecture 11 Public Key Infrastructure (PKI) CIS CIS 5357 Network Security.

ECE454/599 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2012.

PKI Robin Burke ECT 582. Outline Discussion Review The need for PKI PKI hierarchical PKI networked PKI bridging Certificate policies rationale examples.

Sanzi-1 CSE5 810 CSE5810: Intro to Biomedical Informatics Dynamically Generated Adaptive Credentials for Health Information Exchange Eugene Sanzi.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.

Attribute Certificate By Ganesh Godavari. Talk About An Internet Attribute Certificate for Authorization -- RFC 3281.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

JISC Middleware Security Workshop 20/10/05© 2005 University of Kent.1 The PERMIS Authorisation Infrastructure David Chadwick

1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.

Matej Bel University Cascaded signatures Ladislav Huraj Department of Computer Science Faculty of Natural Sciences Matthias Bel University Banska Bystrica.

Delegation of Authority David Chadwick

Public Key Infrastructure (PKI) Chien-Chung Shen

International Telecommunication Union Geneva, 9(pm)-10 February 2009 Identification Services as provided by directories (X.500 incl. X509) Erik Andersen,

Electronic signature Validity Model 1. Shell model Certificate 1 Certificate 2 Certificate 3 Signed document Generate valid signature validCheck invalidCheck.

Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,

Pkiuniversity.com. Alice Bob Honest Abe’s CA Simple PKI hierarchy.

Key Management. Authentication Using Public-Key Cryptography  K A +, K B + : public keys Alice Bob K B + (A, R A ) 1 2 K A + (R A, R B,K A,B ) 3 K A,B.

X.509 Proxy Certificates for Dynamic Delegation Ian Foster, Jarek Gawor, Carl Kesselman, Sam Meder, Olle Mulmo, Laura Perlman, Frank Siebenlist, Steven.

1 APNIC Trial of Certification of IP Addresses and ASes RIPE October 2005 Geoff Huston.

Comments on draft-ietf-pkix-rfc3280bis-01.txt IETF PKIX Meeting Paris - August 2005 Denis Pinkas

1 Public Key Infrastructure Dr. Rocky K. C. Chang 25 February, 2002.

EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Mike Mineter, National e-Science Centre.

EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Emidio Giorgio INFN Catania.

(Exchange Programme to advance e-Infrastructure Know-How) The EPIKH Project Hailong Yang

Authentication, Authorisation and Security

The ITU-T X.500 series and X.509 in a changing world

IT443 – Network Security Administration Instructor: Bo Sheng

Digital Signatures A digital signature is a protocol that produces the same effect as a real signature: It is a mark that only the sender can make but.

Grid Security Jinny Chien Academia Sinica Grid Computing.

APNIC Trial of Certification of IP Addresses and ASes

O. Otenko PERMIS Project Salford University © 2002

刘振上海交通大学计算机科学与工程系电信群楼3-509

Chapter 4 Cryptography / Encryption

ROA Content Proposal November 2006 Geoff Huston.

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006

Issuing delegate certs to Customer AF using Cross-Certification

PKI (Public Key Infrastructure)

刘振上海交通大学计算机科学与工程系电信群楼3-509

National Trust Platform

Presentation transcript:

Use of AIA for Attribute Certificates

Background X.509 (2009) working on PMI interworking between domains Defining several new AC extensions for role mappings, attribute hierarchies etc. Needs an extension to point to the superior in a PMI delegation chain AIA is the obvious choice, and this is being used by VOMS in the grid world Last ITU-T meeting in Jeju (May 2006) issued a liaison statement to PKIX group asking if AIA can be used for ACs

Verifying Claimed Privilege Privilege Verifier (RP) Bill Alice Bob SOA AA Holder Root CA Signs Alice’s Public Key Bill’s Public Key Bob’s Public Key Issues AC to Issues AC to Issues signed command to Checks delegation of privileges Checks all signatures Checks privilege is sufficient

Two types of trust chain need to be followed from a presented AC PKI chain of public key certificates from signer of an AC to a root CA (trust anchor) –Bob’s AC → Alice’s PKC → Root CA PMI chain of attribute certificates from holder of an AC to Source of Authority (SoA) –Bob’s AC → Alice’s AC → Bill SoA

Extensions to support trust chains We can use Authority Key Identifier inside holder’s AC to point to PKC of AC issuer –AKI will point to Alice’s PKC, and off we go using existing PKI rules We want to use Authority Information Access inside a holder’s AC to point to AC of AC issuer –AIA will point to Alice’s AC

What are the problems with the latest AIA 3280bis-4 text? Quote “The authority information access extension indicates how to access information and services for the issuer of the certificate in which the extension appears” EXCELLENT BUT Quote “This extension may be included in end entity or CA certificates” Q. Does this exclude ACs?? Stephen thinks not. Quote “The id-ad-caIssuers OID is used when the additional information lists certificates that were issued to the CA that issued the certificate containing this extension” Problem. The access method is specifically focussed on CA certificates and does not allow it to be used to point to ACs

Resolution Either We define a new access method, id-ad-aaIssuers identical to the current one in syntax, but with a different name, OID and descriptive text Or We modify the existing access method by calling it id-ad- issuers and change the current text from “The id-ad-caIssuers OID is used when the additional information lists certificates that were issued to the CA that issued the certificate containing this extension” to “When the id-ad-issuers OID is used, the additional information lists certificates that were issued to the CA that issued the certificate containing this extension” And change all occurrences of id-ad-caIssuers to id-ad-issuers We can then write appropriate text for id-ad-issuers when it occurs in ACs