A Profile for Trust Anchor Material for the Resource Certificate PKI Geoff Huston SIDR WG IETF 74.

Slides:



Advertisements
Similar presentations
RPKI Standards Activity Geoff Huston APNIC February 2010.
Advertisements

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 70.
PKI Strategy PKI Requirements Standard –Based on e-MARC or other Certificate Policy Statements –Specify key aspects that must be met by CA Cert format.
Local TA Management A TA is a public key and associated data used as the starting point for certificate path validation It need not be a self-signed certificate.
RPKI Certificate Policy Status Update Stephen Kent.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC Open Policy Meeting SIG: Whois Database October 2000 APNIC Certificate Authority.
CS5204 – Operating Systems 1 Authentication. CS 5204 – Operating Systems2 Authentication Digital signature validation proves:  message was not altered.
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.
RPKI and Routing Security ICANN 44 June Today’s Routing Environment is Insecure Routing is built on mutual trust models Routing auditing requires.
An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.
Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.
Validation Algorithms for a Secure Internet Routing PKI David Montana Mark Reynolds BBN Technologies.
RPKI Validation - Revisited draft-huston-rpki-validation-00.txt Geoff Huston George Michaelson APNIC.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Review of draft-ietf-sidr-arch-01.txt Steve Kent BBN Technologies.
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.
A PKI For IDR Public Key Infrastructure and Number Resource Certification AUSCERT 2006 Geoff Huston Research Scientist APNIC.
Wed 28 Jul 2010SIDR IETF 78 Maastricht, NL1 SIDR Working Group IETF 78 Maastricht, NL Wednesday, 28 Jul 2010.
Certificate Path Building draft-ietf-pkix-certpathbuild-01.txt Peter Hesse Matt Cooper Yuriy Dzambasow Susan Joseph Richard Nicholas.
Long-term Archive Service Requirements draft-ietf-ltans-reqs-00.txt.
The Resource Public Key Infrastructure Geoff Huston APNIC.
14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
Status Update for Algorithm Transition for the RPKI (draft-ietf-sidr-algorithm-agility) Steve Kent Roque Gagliano Sean Turner.
APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)
Trust Anchor Management Problem Statement 69 th IETF Trust Anchor Management BOF Carl Wallace.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.
Digital Signatures A Brief Overview by Tim Sigmon April, 2001.
A Brief Overview of draft-ietf-sidr-cp-01.txt draft-ietf-sidr-cps-rirs-01.txt draft-ietf-sidr-cps-isp-00.txt Steve Kent BBN Technologies.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian
1 PKI Disaster Recovery and Key Rollover Bull S.A.S.
1 SeGW Certificate profile (Revised) 3GPP2 TSG-S WG4 /TSG-X WG5 (PDS) S X xx Source: QUALCOMM Incorporated Contact(s): Anand.
BGPSEC Router Key Roll-over draft-rogaglia-sidr-bgpsec-rollover-00 Roque Gagliano Keyur Patel Brian Weis.
Using Resource Certificates Progress Report on the Trial of Resource Certification November 2006 Geoff Huston APNIC.
Updates to the RPKI Certificate Policy I-D Steve Kent BBN Technologies.
Peering: A Minimalist Approach Rohan Mahy IETF 66 — Speermint WG.
“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.
X.509 standard and CA’s operation Certificate path validation Dec. 18, C&IS lab. Vo Duc Liem.
Draft-huston-sidr-rfc6490-bis Geoff Huston Slide 1/6.
JOSE Working Group 7 November 2013, PST IETF 88 Vancouver.
EMU and DANE Jim Schaad August Cellars. EMU TLS Issues Trust Anchor Matching PKIX cert to EMU Server Name Certificate Revocation Checking – CRLs – OCSP.
1 APNIC Trial of Certification of IP Addresses and ASes RIPE October 2005 Geoff Huston.
Status Report SIDR and Origination Validation Geoff Huston SIDR WG, IETF 71 March 2008.
Wed 24 Mar 2010SIDR IETF 77 Anaheim, CA1 SIDR Working Group IETF 77 Anaheim, CA Wednesday, Mar 24, 2010.
Comments on draft-ietf-pkix-rfc3280bis-01.txt IETF PKIX Meeting Paris - August 2005 Denis Pinkas
RPKI Certificate Policy Status Update Stephen Kent.
1 Resource Certification Robert Loomans February 2, 2007.
Resource Certificate Provisioning Protocol Geoff Huston IETF 70 December 2007.
Key Rollover for the RPKI Steve Kent (Channeling Geoff Huston )
LDAP PKI and PMI Schemas
RPKI Certificate Policy Status Update Stephen Kent.
Thu 30 July 2009SIDR IETF 75 Stockholm, SE1 SIDR Working Group IETF 75 Stockholm, SE THURSDAY, July 30, 2009.
Alternative Governance Models for PKI
November 2006 Geoff Huston APNIC
Trust Anchor Management Problem Statement
Voucher and Voucher Revocation Profiles for Bootstrapping Protocols draft-kwatsen-netconf-voucher-00 NETCONF WG IETF 97 (Seoul)
RPKI Trust Anchor Geoff Huston APNIC.
APNIC Trial of Certification of IP Addresses and ASes
Resource Certificate Profile
Digital Certificates and X.509
Recap At IETF 97 we presented the Voucher document for the first time as an ANIMA draft Bootstrapping Design team has met weekly since, about 50% discussion.
STIR WG IETF-99 PASSPorT Extension for Resource-Priority Authorization (draft-ietf-stir-rph-00) July, 2017 Ray P. Singh, Martin Dolly, Subir Das, and An.
Progress Report on Resource Certification
ROA Content Proposal November 2006 Geoff Huston.
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006
OCSP Requirements GGF13.
Presentation transcript:

A Profile for Trust Anchor Material for the Resource Certificate PKI Geoff Huston SIDR WG IETF 74

Background This has been the topic of WG discussion – who should be putative TA for the RPKI – how should TA material be published Focus the discussion by creating a document to address Trust Anchors for the RPKI – Removed section 6.3 from Res Cert profile draft – Created a new draft with this material – draft-ietf-sidr-ta-00.txt

Who? Draft is silent on prescribing roles for bodies: This document does not nominate any organizations as default trust anchors for the RPKI. Reasons for this position: – This task falls outside of IETF WG direction relating to conventional protocol parameter registry functions – The standard technology specification should encompass use in a broad spectrum of contexts including various forms of private use as well as public However, the document does observe that: for most RPs, the IANA is in a unique role as the default TA for representing public address space and public AS numbers.

How? No change from previous TA specification in draft-ietf-sidr-res-certs – (aside from some terminology clarifications) Two-Tier Model of Trust Anchor – Allows for variation in resources held at the root while keeping the trust anchor material constant – Can be used in a variety of contexts, both public and private – Aligns with the TA work in PKIX WG (draft-ietf- pkix-ta-format-01)

ETA TA Certificate Issuer: ETA Subject: ETA CA: True (no 3779 ext) ETA TA Certificate Issuer: ETA Subject: ETA CA: True (no 3779 ext) Signed: ETA 1. External Trust Anchor Certificate - ETA

ETA TA Certificate Issuer: ETA Subject: ETA CA: True (no 3779 ext) ETA TA Certificate Issuer: ETA Subject: ETA CA: True (no 3779 ext) Signed: ETA CRL of ETA Issuer: ETA CRL of ETA Issuer: ETA Signed: ETA 2. Certificate Revocation List for ETA

ETA TA Certificate Issuer: ETA Subject: ETA CA: True (no 3779 ext) ETA TA Certificate Issuer: ETA Subject: ETA CA: True (no 3779 ext) Signed: ETA ETA EE Certificate Issuer: ETA Subject: ETA EE CA: False (no 3779 ext) ETA EE Certificate Issuer: ETA Subject: ETA EE CA: False (no 3779 ext) Signed: ETA CRL of ETA Issuer: ETA CRL of ETA Issuer: ETA Signed: ETA 3. ETA EE Certificate (for CMS Object Verification)

ETA TA Certificate Issuer: ETA Subject: ETA CA: True (no 3779 ext) ETA TA Certificate Issuer: ETA Subject: ETA CA: True (no 3779 ext) Signed: ETA ETA EE Certificate Issuer: ETA Subject: ETA EE CA: False (no 3779 ext) ETA EE Certificate Issuer: ETA Subject: ETA EE CA: False (no 3779 ext) Signed: ETA CRL of ETA Issuer: ETA CRL of ETA Issuer: ETA Signed: ETA RPKI TA Certificate Issuer: RPKI TA Subject: RPKI TA CA: True 3779 Exts RPKI TA Certificate Issuer: RPKI TA Subject: RPKI TA CA: True 3779 Exts Signed: RPKI TA 4. RPKI TA Certificate

CMS Payload CMS Header ETA TA Certificate Issuer: ETA Subject: ETA CA: True (no 3779 ext) ETA TA Certificate Issuer: ETA Subject: ETA CA: True (no 3779 ext) Signed: ETA ETA EE Certificate Issuer: ETA Subject: ETA EE CA: False (no 3779 ext) ETA EE Certificate Issuer: ETA Subject: ETA EE CA: False (no 3779 ext) Signed: ETA CRL of ETA Issuer: ETA CRL of ETA Issuer: ETA Signed: ETA RPKI TA Certificate Issuer: RPKI TA Subject: RPKI TA CA: True 3779 Exts RPKI TA Certificate Issuer: RPKI TA Subject: RPKI TA CA: True 3779 Exts Signed: RPKI TA CMS Signed Object Signed: ETA EE 5. CMS packaging of the RPKI TA Certificate

CMS Payload CMS Header ETA TA Certificate Issuer: ETA Subject: ETA CA: True (no 3779 ext) ETA TA Certificate Issuer: ETA Subject: ETA CA: True (no 3779 ext) Signed: ETA ETA EE Certificate Issuer: ETA Subject: ETA EE CA: False (no 3779 ext) ETA EE Certificate Issuer: ETA Subject: ETA EE CA: False (no 3779 ext) Signed: ETA CRL of ETA Issuer: ETA CRL of ETA Issuer: ETA Signed: ETA RPKI TA Certificate Issuer: RPKI TA Subject: RPKI TA CA: True 3779 Exts RPKI TA Certificate Issuer: RPKI TA Subject: RPKI TA CA: True 3779 Exts Signed: RPKI TA CMS Signed Object Signed: ETA EE

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.