Certificate Path Building draft-ietf-pkix-certpathbuild-01.txt Peter Hesse Matt Cooper Yuriy Dzambasow Susan Joseph Richard Nicholas.

Slides:

Advertisements

Similar presentations

Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.

Advertisements

CRL Processing Rules Santosh Chokhani November 2004.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.

1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation May 2012, Kish Island, I.R.IRAN.

Fed/Ed PKI 2008, June Subject Unique Identifier or Equivalent William A. Weems & Mark B. Jones Academic Technology U. Texas Health Science Center at Houston.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

MPKI Interoperability I-D ChangeLog from -01 to -02 Jan 16, 2004 Masaki SHIMAOKA SECOM Trust.net.

MPKI Interoperability I-D ChangeLog from -00 to -01 Oct 27, 2003 Masaki SHIMAOKA SECOM Trust.net.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

SMUCSE 5349/7349 Public-Key Infrastructure (PKI).

CMSC 414 Computer (and Network) Security Lecture 17 Jonathan Katz.

1 Memorandum for multi-domain PKI interoperability multidomain-pki-00.txt

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.

DNS-centric PKI Sean Turner Russ Housley Tim Polk.

1 USHER Update Fed/ED December 2007 Jim Jokl University of Virginia.

9/20/2000www.cren.net1 Root Key Cutting and Ceremony at MIT 11/17/99.

Location Hiding: Problem Statement, Requirements, (and Solutions?) Richard Barnes IETF 71, Philadelphia, PA, USA.

Trust Anchor Management Problem Statement 69 th IETF Trust Anchor Management BOF Carl Wallace.

Best Practices Working Group June 19-21, 2001 Munich, Germany.

NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.

General Key Management Guidance. Key Management Policy  Governs the lifecycle for the keying material  Hope to minimize additional required documentation.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.

Bridge Certification Architecture A Brief Demo by Tim Sigmon and Yuji Shinozaki June, 2000.

Digital Signatures A Brief Overview by Tim Sigmon April, 2001.

HEPKI-PAG Policy Activities Group David L. Wasley University of California.

Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.

Assessing the influence on processes when evolving the software architecture By Larsson S, Wall A, Wallin P Parul Patel.

CDB Chris Bonatti (IECA, Inc.) Tel: (+1) Proposed PKI4IPSEC Certificate Management Requirements Document IETF #59 – PKI4IPSEC Working.

A Brief Overview of draft-ietf-sidr-cp-01.txt draft-ietf-sidr-cps-rirs-01.txt draft-ietf-sidr-cps-isp-00.txt Steve Kent BBN Technologies.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

Update on PKI Activities in the Spanish Academic Network PKI-COORD November 26, Amsterdam.

1 SeGW Certificate profile (Revised) 3GPP2 TSG-S WG4 /TSG-X WG5 (PDS) S X xx Source: QUALCOMM Incorporated Contact(s): Anand.

Sam Morrison APAC CA – APGridPMA - ISGC2010 APAC CA Self Audit and status update Sam Morrison ARCS.

BGPSEC Router Key Roll-over draft-rogaglia-sidr-bgpsec-rollover-00 Roque Gagliano Keyur Patel Brian Weis.

By Umair Ali. Dec 2004Version 1 -PKI - a security architecture – over the internet. -Provides an increased level of confidence for exchanging information.

Disman – IETF 56 Alarm MIB Sharon Chisholm Dan Romascanu

Single Sign-On across Web Services Ernest Artiaga CERN - OpenLab Security Workshop – April 2004.

© 2003 The MITRE Corporation. All rights reserved For Internal MITRE Use Addressing ISO-RTO e-MARC Concerns: Clarifications and Ramifications Response.

Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.

Updates to the RPKI Certificate Policy I-D Steve Kent BBN Technologies.

“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.

3280bis David Cooper. Changes Since Draft 02 ● Section 1 (Introduction): Replaced text highlighting changes between RFC 2459 and 3280 with text highlighting.

Comments from Simplified PROCESS-DATA Exercise John Pietras CSTSWG Berlin May, 2011.

SIP Extensions for Network-Asserted Caller Identity and Privacy within Trusted Networks Flemming Andreasen W. Marshall, K. K. Ramakrishnan,

Bridge Certification Architecture A Brief Overview by Tim Sigmon May, 2000.

JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.

SonOf3039 Status Russ Housley Security Area Director.

X.509 Proxy Certificates for Dynamic Delegation Ian Foster, Jarek Gawor, Carl Kesselman, Sam Meder, Olle Mulmo, Laura Perlman, Frank Siebenlist, Steven.

1 draft-sidr-bgpsec-protocol-05 Open Issues. 2 Overview I received many helpful reviews: Thanks Rob, Sandy, Sean, Randy, and Wes Most issues are minor.

RPKI Certificate Policy Status Update Stephen Kent.

Diameter SIP Application

1 Geant4 Documentation Dennis Wright Geant4 Delta Review 9 October 2002 Internal documentation review Documentation improvements Plans for future improvements.

SCVP-28 Tim Polk November 8, Current Status Draft -27 was submitted in June ‘06 –AD requested a revised ID 8/11 –No related discussion on list –Editors.

Discovery of CRL Signer Certificate Stefan Santesson Microsoft.

Key management issues in PGP

Trust Anchor Management Problem Statement

Joe Clarke (presenting)

Resource Certificate Profile

Digital Certificates and X.509

Updates to Draft Specification for DTN TCPCLv4

Software Design Lecture : 9.

Recommended Draft Policy ARIN : Eliminate HD-Ratio from NRPM

Recap At IETF 97 we presented the Voucher document for the first time as an ANIMA draft Bootstrapping Design team has met weekly since, about 50% discussion.

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006

BPSec: AD Review Comments and Responses

Joe Clarke (presenting)

OCSP Requirements GGF13.

Presentation transcript:

Certificate Path Building draft-ietf-pkix-certpathbuild-01.txt Peter Hesse Matt Cooper Yuriy Dzambasow Susan Joseph Richard Nicholas

Why This Document? Certificate path building is relatively easy to do, but difficult to do well Implementations are frequently over simplified or vendor specific in nature –Leads to interoperability problems where one vendor’s solution frequently may not work with another vendor’s PKI This paper seeks to provide generic path building guidance that should work with any vendor’s PKI –The intent is to promote both efficiency and interoperability

Why This Document? There is currently a lack of guidance relating to the certificate path building This leaves the software developers, who may lack extensive experience in PKI, on their own to determine how to go about building paths –Naturally, this can lead to less than comprehensive path building solutions The intent of this document is to provide guidance to software developers in the hope that it will help improve certificate path building modules in general –Nothing in the document is intended to be prescriptive

What’s Inside In addition to providing an overview of path building and PKI structures, this document seeks to address four areas of path building considerations: –Help in making the decision of building from the trusted root (reverse) or the end entity (forward) –Methods that may make certificate path building more efficient (Finding the “best path first”) –Common flaws in path building modules –Simplifying the decision tree

Changes from -00 to -01 (General) made certain terminology more consistent ("certification path" throughout the document instead of "certificate path", "cert path", etc.) softened the tone; made it clear that the document provides informational recommendations and does not prescribe a particular method for certification path building removed statements on the document providing guidance based on "best practices" but instead explicitly defined the motivation and purpose behind the document, as well as the criteria that led to the guidance provided. removed some non-ascii characters that had snuck in

Changes from -00 to -01 (Specific) Thoroughly updated section 1.1 (Motivation) and 1.2 (Purpose) updated terminology section to include a few additional terms updated mesh PKI figure to better differentiate it from other structures included a section (2.2) that clearly identifies the authors‘ criteria for a path building implementation broke up section 2.4 (How to Build a Certification Path) with some subsections added section 3.3 (Representing the Decision Tree Programmatically) updated section 3.5 to include additional information about the sorting methods that follow. Sorting methods are no longer called "rules". added section 5.4 (Distinguished Name Encoding) added section 6.3 (Subject Information Access)

Current comments The document has a section on certificate and CRL retrieval (Section 6, Retrieval Methods) which discusses some mechanisms that may be used by implementations when attempting to retrieve certificates It has been requested that we add information on what extensions can be used to pass retrieval location information –We feel this is accomplished in sections 6.2, 6.3, 6.4 (Perhaps with a few new words) –Since this document is informational, we do not intend to add SHOULDs and MUSTs

Current comments The current draft uses the words “building”, “discovery”, and “obtaining” to mean basically the same thing. –Our next draft will address this issue. –We will clearly define the terms that are used, and use them consistently through the draft “Subscriber”, “User”, and “End Entity” –Since path building is not always done for a user or subscriber certificate (i.e. Indirect CRL Issuer) we will attempt to normalize this toward “End Entity”

Current comments The term “Trust” is used without a clear definition –I don’t think we want to wrestle that monster; however, I think we will identify that “Trust” in this document means “public key can be trusted subject to the validation procedure in RFC 3280” Section (Bridge Structures) refers to Bridges as non-hierarchical –We will repeat the comment from 2.3 that no matter the structure, it always simplifies to a (series of) hierarchical structure(s).

Current comments Section 1.5 provides two reasons why Bridge CA support should be included –The second reason is the only important one; the first reason (“Because they exist”) will be minimized Why is building from the EE called “Forward” and building from the Root called “Reverse”? –The reason (crossCertificate naming) will be identified in the document

Current comments The document identifies a number of ways that paths may be built and considered “less trustworthy” than other alternatives Section has a confusing example There are some missing references, and the differences between normative and informative references need to be made. Section 8 – Security considerations mentions protection of root key and root cert—needs a slight rewording since root certs are not required –We’ll make the required changes for all these

Document Status As of this date, we have received and integrated comments from a number of people, resulting in the changes from (-00) to (-01). You can also see the open comments we plan to address in the document The next draft of this document will be released in November and is aimed at WG Last Call –we are still hoping for more comments before we release the next draft!

Questions? Contact Info –Peter Hesse –Matt Cooper –Yuriy Dzambasow x107 –Susan Joseph –Richard Nicholas

Thank You