Directories and PKI Keith Hazelton Senior IT Architect, UW-Madison PKI Summit, Snowmass, 9-Aug-01.

Slides:



Advertisements
Similar presentations
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
Advertisements

OOI-CI–Ragouzis– Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop October 2007.
MyProxy: A Multi-Purpose Grid Authentication Service
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
Extended Validation Models in PKI Alternatives and Implications Marc Branchaud John Linn
CRL Processing Rules Santosh Chokhani November 2004.
Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.
Lecture 23 Internet Authentication Applications
Grid Security. Typical Grid Scenario Users Resources.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
Key Management public-key encryption helps address key distribution problems have two aspects of this: –distribution of public keys –use of public-key.
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Shibboleth Update a.k.a. “shibble-ware”
UW-Madison PKI Lab Keith Hazelton Principal Investigator, UW-Madison PKI Lab Senior IT Architect, UW-Madison PKI Summit, Snowmass, 9-Aug-01.
1 Lecture 11 Public Key Infrastructure (PKI) CIS CIS 5357 Network Security.
1 PKI Update September 2002 CSG Meeting Jim Jokl
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
Single Sign-On Multiple Benefits via Alaska K20 Identity Federation 20 May 2011 BTOP Partner Meeting Anchorage, Alaska 20 May 2011 BTOP Partner Meeting.
SAML, XACML & the Terrorism Information Sharing Environment “Interoperable Trust Networks” XML Community of Practice February 16, 2005 Martin Smith Program.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Dr. Bhavani Thuraisingham October 2006 Trustworthy Semantic Webs Lecture #16: Web Services and Security.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.
SAML CCOW Work Item HL7 Working Group Meeting San Antonio - January 2008 Presented by: David Staggs, JD CISSP VHA Office of Information Standards.
EuroPKI Antonio Lioy Politecnico di Torino Dip. Automatica e Informatica.
Digital Signatures A Brief Overview by Tim Sigmon April, 2001.
CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.
HEPKI-PAG Policy Activities Group David L. Wasley University of California.
1 Emergency Alerts as RSS Feeds with Interdomain Authorization Filippo Gioachin 1, Ravinder Shankesi 1, Michael J. May 1,2, Carl A. Gunter 1, Wook Shin.
Attribute Certificate By Ganesh Godavari. Talk About An Internet Attribute Certificate for Authorization -- RFC 3281.
Module 9: Designing Public Key Infrastructure in Windows Server 2008.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian
SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.
1 caGrid Security Overview Mark Grand Senior Engineer caGrid Knowledge Center February 7, 2011.
Access Control and Markup Languages Pages 183 – 187 in the CISSP 1.
Security in ebXML Messaging CPP/CPA Elements. Elements of Security P rivacy –Protect against information being disclosed or revealed to any entity not.
The privacy risks and rewards of distributed identity Conference Presentation (8 September 2003) Surveillance and Privacy 2003, University of New South.
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.
State of e-Authentication in Higher Education August 20, 2004.
Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.
PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.
“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.
PKI Future Directions 29 November 2001 Russ Housley RSA Laboratories CS – Class of 1981.
Bridge Certification Architecture A Brief Overview by Tim Sigmon May, 2000.
15 May 2001© 2001 University of Salford1 Deficiencies in LDAP when used to support Public Key Infrastructures David W Chadwick
Web Services Security Patterns Alex Mackman CM Group Ltd
05 October 2001 Directories: The Next Stage Keith Hazelton, Senior IT Architect University of Wisconsin-Madison Keith Hazelton, Senior IT Architect University.
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
Day 3 Roadmap and PKI Update. When do we get to go home? Report from the BoFs CAMP assessment, next steps PKI technical update Break Research Issues in.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
Adding Distributed Trust Management to Shibboleth Srinivasan Iyer Sai Chaitanya.
2-Oct-0101 October 2001 Directories as Middleware Keith Hazelton, Senior IT Architect University of Wisconsin-Madison Keith Hazelton, Senior IT Architect.
LDAP for PKI Problems Cannot search for particular certificates or CRLs Cannot retrieve particular certificates or CRLs.
Unified Identity for Access Control Carl Ellison 7 April 2011 IDtrust.
L’Oreal USA RSA Access Manager and Federated Identity Manager Kick-Off Meeting March 21 st, 2011.
Access Policy - Federation March 23, 2016
Analyn Policarpio Andrew Jazon Gupaal
Grid Security.
Adding Distributed Trust Management to Shibboleth
September 2002 CSG Meeting Jim Jokl
Presentation transcript:

Directories and PKI Keith Hazelton Senior IT Architect, UW-Madison PKI Summit, Snowmass, 9-Aug-01

Agenda PKI and Directories: Complementary Middleware Services Directories for Certificate Management Directories for Authorization Information: Attributes and Roles Directory Support for Privacy and Other Security Services Work Items for Consideration

PKI and Directories are Complementary Credo: Middleware services assist application roll-out Applications bring people and services together …in a controlled fashion We need both directory and security services to do apps But PKI and Directory complementary in a stronger sense Most I’s in PKI hand off key functions to directories Not all do (see PKI Ultra-Lite) Secure directories of the future may leverage PKI for PAIN –P rivacy, A uthentication, I ntegrity, N on-repudiation

Directories for Certificate Management Certificate management services via directories Certificate Repository Where apps can find X.509 certificates Find the person entry, then look for userCertificate attribute –Carl Ellison asks: How do you know you’ve got the right Tom Smith? Open question: as we issue multiple certificates, how do we get the right one?

Directories for Certificate Management Certificate Revocation Lists (CRLs) Certs can contain a CRL Distribution Point extension That extention MAY contain a URI pointing to the CRL Needed because vision of a global X.500 directory remains just that An alternative to CRLs is the Online Certificate Status Protocol (OCSP) service Certs can contain an Authority Information Access extension That extension MAY contain the name for an associated OCSP server

Directories for Certificate Management Certificate Repositories and CRLs Commercial PKI software suites may do this for you However, you will need to integrate with enterprise directory If you roll your own PKI, this is an item on the long list of tasks NOTE: PKI Lite and Ultra-Lite can live without directories Signed, encrypted Simple access control to web pages

Directories for Authorization Info Attributes and Roles tend to live in directories Good place to put them so apps can find them easily Proposed principle: Whatever else we do, let’s issue simple Identity certificates as a first step Why? Such a cert merely asserts a binding between a public key and a principal (a person, for this discussion) That assertion is likely to remain valid for some time Lessens frequency of revocation, reissuance But it creates a need for tight PKI-Directory integration PRIVACY ALERT!!! Threat to anonymity

Directories for Authorization Info Identity certificates and PKI-Directory integration Use the certificate for the authentication step Access control decisions depend on role-service mappings Roles are carried by authenticated principals So given a cert, app must be able to learn more about the subject Subject field in the certificate is a Distinguished Name (DN) So if we know where to look, we can ask more about subject

Directories for Authorization Info Identity certificates and PKI: Where should we go to ask more about subject? A good use for the Directory of Directories for Higher Education (?) For Federal PKI, reliance on X.500 chaining and referrals (?) What about apps that are supposed to work in both domains? Once you’ve found the directory, a simple lookup will find the subject’s full entry

Directories for Authorization Info More on Role-Service Mappings: Our policies (institutional and inter-institutional) will determine which roles (or groups) are eligible for which services In turn, roles and groups are defined by policy or business practice

Directories for Authorization Info More on Role-Service Mappings: Directories are the logical place to express roles and group memberships Groups in directories is a current hot item for MACE-Dir Communities of interest will need to define roles and groups Communities of interest will need to be in deep agreement Two basic varieties of groups: attribute based and ad hoc

Directories for Authorization Info What if we opt for attribute certificates? The directory is still the place to find authoritative attribute assertions from which to build attribute certificates Shifts the burden of community of interest agreement from directory schema to attribute certificate profiles

Directory Support for Privacy PRIVACY ALERT!! A simple Identity certificate will lead you right to the cache of information in the bearer’s directory entry One counter-measure: Control access to directory Means directory clients must themselves authenticate to directory Means non-person security principals Means directory support for access control information –How fine-grained? –Not yet standardized (LDAP-Ext work in progress) Another avenue: Pseudonymous Identity Certificates The DN of the subject of a pseudonymous cert reveals nothing about the subject

Directory Support for Privacy Pseudonymous Identity Certificates: Inspired by DLF, shaped by MACE-Shibboleth The DN of the subject of a pseudonymous cert reveals nothing about the subject Paired with authenticated binds to the directory, a powerful privacy protection mechanism “I’m App X, tell me about “XhJSedrtE’” But means more work for the PKI-Directory Integration Team And if persistent, nefarious interests can leverage it

Directory Support for Info Integrity The higher the risk, the more we must secure our directories One aspect is directory client confidence in the returned attributes Signed assertions as attributes in the directory I can decide if I trust the signer of the assertion I can be assured that the attribute value has not been altered in transit See Oasis-open work on Security Assertions Markup Language (SAML) Rare vendor convergence (except MS) on ways to express authentication and authorization assertions

Caution: Work Zone Ahead Repositories and CRL services in roll-your-own PKIs Integration of PKI Suite repositories with enterprise directory How do we get the right cert from the repository? Picking the apps to work on first (avoiding insanity and ennui) Community of interest role definition and maintenance

Caution: Work Zone Ahead Support for pseudonymous identity certificates Support for privacy and other security services (big) Oh yes, what about support for mobility (IETF-Sacred) OID-vey Policies are coming: CP, sure, but DP!?!?!

Your Turn Q & A & Discussion

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.