Using SCVP to Convey Evidence Records Carl Wallace Orion Security Solutions.

Slides:

Advertisements

Similar presentations

Reporting Workflow Rita Noumeir, Ph.D. IHE Technical Committee.

Advertisements

April 23, XKMS Requirements Update Frederick Hirsch, Mike Just April 23, 2002 Goals Requirements Summary –General, Security Last Call Issues –For.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC Open Policy Meeting SIG: Whois Database October 2000 APNIC Certificate Authority.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

Claudia Diaz, Hannelore Dekeyser, Markulf Kohlweiss, Girma Nigusse K.U.Leuven IDIS Workshop 29/05/2008 [Work done in the context of the ADAPID project]

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

PKI Artifact Retention March Purpose Current drafts are silent on how refreshed timestamp chains will be verified –i.e., from where will the various.

M.Sc. Hrvoje Brzica Boris Herceg, MBA Financial Agency – FINA Ph.D. Hrvoje Stancic, assoc. prof. Faculty of Humanities and Social Sciences Long-term Preservation.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report.

Pertemuan 16 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

PAWN: A Novel Ingestion Workflow Technology for Digital Preservation

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

ALT-C2010 7/09/ :50 Giving you back control of your data: An e-Qualification system for e-Portfolios Learning Societies Laboratory, School of Electronic.

PAWN: A Novel Ingestion Workflow Technology for Digital Preservation Mike Smorul, Joseph JaJa, Yang Wang, and Fritz McCall.

Trusted Archive Protocol (TAP) Carl Wallace

Long-term Archive Service Requirements draft-ietf-ltans-reqs-00.txt.

Web Application Authentication with PKI & Other Functions Bill Weems & Mark B. Jones Academic Technology University of Texas Health Science Center at Houston.

HTML 5 Tutorial Chapter 8 Form Elements. New Form Element HTML5 has several new elements and attributes for forms. New form types : datalist keygen output.

Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

Visual Signature Profile OASIS - DSS-X. Agenda General Requirements – Digital Signature operation Visual Signature content Verification Operation.

Digital Certificates With Chuck Easttom. Digital Signatures  Digital Signature is usually the encryption of a message or message digest with the sender's.

Trust Anchor Management Problem Statement 69 th IETF Trust Anchor Management BOF Carl Wallace.

Digital Signatures and e-Identity. Getting the best out of DSS / DSS-X services. Andreas Kuehne – DSS-X member.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.

Chapter 9 Section 2 : Storage Networking Technologies and Virtualization.

CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.

IEEE MEDIA INDEPENDENT HANDOVER DCN: MuGM Title: TGd Message Signing Proposal Date Submitted: Presented at IEEE d session.

Attribute Certificate By Ganesh Godavari. Talk About An Internet Attribute Certificate for Authorization -- RFC 3281.

IETF - LTANS, March 2004P. Sylvester, Edelweb & A. Jerman Blazic, SETCCE Introduction The following slides were prepared as a result of analysis and discussion.

Evaluating trusted electronic documents Petr Švéda Security and Protection of Information ‘03 © 2003 Petr Švéda, FI MU.

Slide 1 © 2004 Reactivity The Gap Between Reliability and Security Eric Gravengaard Reactivity.

Integrating security services with the automatic processing of content TERENA 2001 Antalya, May 2001 Francesco Gennai, Marina Buzzi Istituto.

PI Data Archive Server COM Points Richard Beeson.

Evidence Record Syntax <draft-ietf-ltans-ers-00.txt>

ASYNCHRONOUS LARGE-SCALE CERTIFICATION BASED ON CERTIFICATE VERIFICATION TREES Josep Domingo-Ferrer, Marc Alba and Francesc Sebé Dept. of Computer Engineering.

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.

Comments on draft-ietf-pkix-scvp-19.txt IETF Meeting Paris - August 2005 Denis Pinkas

Matej Bel University Cascaded signatures Ladislav Huraj Department of Computer Science Faculty of Natural Sciences Matthias Bel University Banska Bystrica.

SAML FTF #4 Workitems Bob Blakley. SAML “SenderVouches” SubjectConfirmation Method: A Proposed Alternative to Bindings 0.5 Proposals.

Electronic signature Validity Model 1. Shell model Certificate 1 Certificate 2 Certificate 3 Signed document Generate valid signature validCheck invalidCheck.

PKI Future Directions 29 November 2001 Russ Housley RSA Laboratories CS – Class of 1981.

Bridge Certification Architecture A Brief Overview by Tim Sigmon May, 2000.

1 APNIC Trial of Certification of IP Addresses and ASes RIPE October 2005 Geoff Huston.

LTANS WG: ERS November 7, 2005 Tobias Gondrom. LTANS WG (ltans): ERS Draft straightened up Corrected ERS (feedback from Peter and Carl) Prepared for WG.

PCE 64 th IETF PCE Policy Architecture draft-berger-pce-policy-architecture-00.txt Lou Berger Igor Bryskin Dimitri Papadimitriou.

Long-term Archive Service Requirements November 9, 2004.

1 ECHO ECHO 9.0 for Data Partners Rob Baker January 23, 2007.

LDAP for PKI Problems Cannot search for particular certificates or CRLs Cannot retrieve particular certificates or CRLs.

September, 2005What IHE Delivers 1 Patient Index and Demographic Implementation Strategies IHE Vendors Workshop 2006 IHE IT Infrastructure Education Rick.

Transport Layer Security (TLS) Extensions: Extension Definitions draft-ietf-tls-rfc4366-bis-00.

Long-term Archive and Notary Services (LTANS) Working Group.

11/18/2003 Smart Card Authentication Mechanism Tim W. Baldridge, CISSP Marshall Space Flight Center Office of the Chief Information Officer.

SCVP-28 Tim Polk November 8, Current Status Draft -27 was submitted in June ‘06 –AD requested a revised ID 8/11 –No related discussion on list –Editors.

Receipt Token Profile for Web Services Eric Gravengaard Reactivity.

LTAP Update July Overall status Getting closer to completion (but still incomplete) Primary outliers are definition of meta-data required to fulfill.

Key management issues in PGP

Denis Pinkas. Bull SA. Cryptographic Maintenance Policy IETF LTANS meeting in Paris August, 1rst , 2005 Denis Pinkas. Bull SA.

August 1, 2005 Carl Wallace & Tobias Gondrom

draft-ietf-geopriv-lbyr-requirements-02 status update

Edge Recorder Client

Presentation transcript:

Using SCVP to Convey Evidence Records Carl Wallace Orion Security Solutions

Motivation LTAP has not been defined yet –Most early discussions and precursor specifications incorporated certification path information for the original document signer in the innermost layer of the ERS structure –Preservation layers cover this information This freezes the context in which the Evidence Record can be validated –Ideally verification context can move independently from original document EvidenceRecord structure does not cover validation information for TSAs SCVP servers will handle a large amount of artifacts and could serve as a convenient point of preservation I-D uses ERS and is complementary to the TBD LTAP specification

SCVP SCVP provides a means of building and validating certification paths relative to any point in time, i.e. SCVP servers can provide historical validation artifacts –SCVP does not define any preservation mechanisms to support validation relative to times in the past SCVP is extensible –By defining new wantBack types, validation relative to times in the past can be performed using EvidenceRecords that cover the validation information

SCVP/ERS Mechanics SCVP/ERS I-D specifies 6 OIDs and 2 structures OIDs correspond to existing SCVP wantBack OIDs used to return information such as public key certificates, certification paths or revocation information The resulting replyWantBack is an EvidenceRecord structure (as defined in ERS) that covers the value of the corresponding replyWantBack –For example, if a client requests id-swb-best-cert-path and id-swb-ers-best-cert-path, the resulting response will contain a two replyWantBacks: the path as a CertificateBundle and an EvidenceRecord. The evidence record in the id-swb-ers-best-cert-path replyWantBack covers the DER encoded CertificateBundle returned in the id-swb-best-cert-path replyWantBack.

SCVP/ERS Mechanics (continued) OIDPurpose *id-swb-ers-pkc-certRequest/return ERS for target certificate * id-swb-ers-best-cert-pathRequest/return ERS for certification path * id-swb-ers-revocation-infoRequest/return ERS for revocation info id-swb-partial-cert-pathRequest/return partial certification path (TA->target issuer’s certificate) id-swb-ers-partial-cert-pathRequest/return ERS for partial certification path (permits ERS to be calculated over paths not including target certificates) id-swb-ers-allRequest/return ERS for each other requested wantBack * Correspond to existing SCVP wantBacks

SCVP/ERS Mechanics (continued) Structure to support returning an ERS for any arbitrary wantBack is as follows EvidenceRecordWantBack ::= SEQUENCE { targetWantBack OBJECT IDENTIFIER, evidenceRecord EvidenceRecord OPTIONAL } EvidenceRecordWantBacks ::= SEQUENCE SIZE (1...MAX) OF EvidenceRecordWantBack

Issues When a client includes a id-swb-pkc-cert as a requestWantBack, the server returns the certificate in the body of the response, not as a replyWantBack –For mechanism in this ID to work, the target certificate would need to be returned as a replyWantBack This could be accomplished by defining a new OID to request target certificate as a replyWantBack Approach in this ID potentially increases the number ERS validations that must be performed –A client may need to retrieve and verify an ERS for an archived data object, for a partial certification path, for a target certificate and for revocation information –On the positive side, servers need not preserve validation information for each archived data object and validation context is not fixed

Issues (continued) No client-side control or awareness of cryptographic maintenance policy –Policy is part of server configuration Data may not be submitted for archiving (i.e., server collects data) –EvidenceRecord definition may need modification if policy must be apparent to clients during validation Could go in CryptoInfos ERS does not define any extensible fields except at outermost layer Validation of EvidenceRecords may require additional requests to verify historical TSA signatures –E.g., a single request could be used to determine status of all TSAs in an EvidenceRecord and any signers on the archived data object, but the resulting response may include EvidenceRecords generated by different TSAs