Local TA Management A TA is a public key and associated data used as the starting point for certificate path validation It need not be a self-signed certificate.

Slides:



Advertisements
Similar presentations
11/2/2013 2:02:38 AM 5864_ER_FED 1 Importing Certificates into Lotus Notes R6.
Advertisements

DIGITAL CERTIFICATES Prof. Ravi Sandhu. 2 © Ravi Sandhu PUBLIC-KEY CERTIFICATES reliable distribution of public-keys public-key encryption sender needs.
A Threat Model for BGPSEC
A Threat Model for BGPSEC Steve Kent BBN Technologies.
RPKI Standards Activity Geoff Huston APNIC February 2010.
A Profile for Trust Anchor Material for the Resource Certificate PKI Geoff Huston SIDR WG IETF 74.
1 APNIC Resource Certification Service Project Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam George Michaelson.
PKI Strategy PKI Requirements Standard –Based on e-MARC or other Certificate Policy Statements –Specify key aspects that must be met by CA Cert format.
RPKI Certificate Policy Status Update Stephen Kent.
© ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit.. Page - 1 Seminar on Standardization and ICT Development for the Information.
0 - 0.
SUBTRACTING INTEGERS 1. CHANGE THE SUBTRACTION SIGN TO ADDITION
Addition Facts
Chapter 14 – Authentication Applications
Addition 1’s to 20.
RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.
RPKI and Routing Security ICANN 44 June Today’s Routing Environment is Insecure Routing is built on mutual trust models Routing auditing requires.
An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.
CRL Processing Rules Santosh Chokhani November 2004.
Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.
Validation Algorithms for a Secure Internet Routing PKI David Montana Mark Reynolds BBN Technologies.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
RPKI Validation - Revisited draft-huston-rpki-validation-01.txt Geoff Huston George Michaelson APNIC Slide 1/19.
RPKI Validation - Revisited draft-huston-rpki-validation-00.txt Geoff Huston George Michaelson APNIC.
Review of draft-ietf-sidr-arch-01.txt Steve Kent BBN Technologies.
Local TA Management In prior WG meetings I presented a model for local management of trust anchors for the RPKI In response to these presentations, a.
Securing the Border Gateway Protocol Using S-BGP Dr. Stephen Kent Chief Scientist - Information Security APNIC Open Policy Meeting Routing.
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.
Summary Report on Resource Certification February 2007 Geoff Huston Chief Scientist APNIC.
APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.
Progress Report on resource certification February 2007 Geoff Huston Chief Scientist APNIC.
DNS-centric PKI Sean Turner Russ Housley Tim Polk.
Resource Certification What it means for LIRs Alain P. AINA Special Project Manager.
Progress Report on APNIC Trial of Certification of IP Addresses and ASes APNIC 22 September 2006 Geoff Huston.
The Resource Public Key Infrastructure Geoff Huston APNIC.
14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
Status Update for Algorithm Transition for the RPKI (draft-ietf-sidr-algorithm-agility) Steve Kent Roque Gagliano Sean Turner.
A PKI for IP Address Space and AS Numbers Stephen Kent.
APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)
1 San Diego, California 25 February Securing Routing: RPKI Overview Mark Kosters Chief Technology Officer.
NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.
Using Resource Certificates Progress Report on the Trial of Resource Certification October 2006 Geoff Huston APNIC.
A Brief Overview of draft-ietf-sidr-cp-01.txt draft-ietf-sidr-cps-rirs-01.txt draft-ietf-sidr-cps-isp-00.txt Steve Kent BBN Technologies.
Using Resource Certificates Progress Report on the Trial of Resource Certification November 2006 Geoff Huston APNIC.
© 2003 The MITRE Corporation. All rights reserved For Internal MITRE Use Addressing ISO-RTO e-MARC Concerns: Clarifications and Ramifications Response.
Updates to the RPKI Certificate Policy I-D Steve Kent BBN Technologies.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Manifests (and Destiny?) Stephen Kent BBN Technologies.
Draft-huston-sidr-rfc6490-bis Geoff Huston Slide 1/6.
1 APNIC Trial of Certification of IP Addresses and ASes RIPE October 2005 Geoff Huston.
Overview of draft-ietf-sidr-roa-00.txt Steve Kent BBN Technologies.
Comments on draft-ietf-pkix-rfc3280bis-01.txt IETF PKIX Meeting Paris - August 2005 Denis Pinkas
BGP Validation Russ White Rule11.us.
Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.
Key Rollover for the RPKI Steve Kent (Channeling Geoff Huston )
November 2006 Geoff Huston APNIC
IT443 – Network Security Administration Instructor: Bo Sheng
Cryptography and Network Security
RPKI Trust Anchor Geoff Huston APNIC.
APNIC Trial of Certification of IP Addresses and ASes
APNIC Trial of Certification of IP Addresses and ASes
Resource Certificate Profile
Progress Report on Resource Certification
October 2006 Geoff Huston APNIC
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006
Presentation transcript:

Local TA Management A TA is a public key and associated data used as the starting point for certificate path validation It need not be a self-signed certificate (although I am told that OpenSSL requires this format!) An underlying assumption in PKI standards is that each relying party selects the trust anchors it will use Thus the set of TAs employed by a PKI-enabled application is a local matter In practice, few PKI-enabled applications provide users with good tools for managing TAs! 2

TAs in the RPKI The RPKI architecture follows the general PKI model with respect to TAs, i.e., it assumes each relying party (RP) selects its own set of TAs In the RPKI, a TA must include a public key, a subject name, and RFC 3779 extensions, at a minimum Thus an RP must be able to create compatible TAs To allow use of local address space for (local) routing To reflect local security decisions about TAs, while still maintaining compatibility with RFC 3779 certificate processing This motivates creating a tool to help RPs manage TAs 3

The RP as the TA! The next 2 slides show a PKI with two CAs (A and B) that have offered themselves as TAs (to a set of RPs), by issuing self-signed certificates In the first slide we see the PKI as perceived by these two CAs (two, singly-rooted trees) In the second slide we see the same PKI as viewed by an RP that has acquired the certificates issued by A and B, but has NOT agreed to accept them as TAs per se (e.g., maybe to add constraining extensions) It has transformed the PKI by replacing the self-signed certificates with certificates issued under itself as TA 4

PKI as Advertised by A & B

PKI as Perceived by the RP

What did the RP do? Issue a self-signed CA certificate for itself, to act as the only TA for the RP Acquire certificates for A & B and verify them Extract the subject name, public key and any extensions that are important from each certificate Modify (or add) important extensions to match the RPs policy, thus overriding what A or B may have asserted in their self-signed certificates Issue new certificates to A and B with the RP as the issuer 7

As Certificate: Before and After 8

The RPKI Version In the RPKI we need to be able to create new certificates, possibly with modified RFC 3779 extensions To make this work the RP Self-signed RP certificate must contain RFC 3779 extensions encompassing all addresses and all ASNs Issues new certificates, under the RPs TA, excluding any 3779 extension data that it wants to control directly Re-issues certificates with new 3779 extensions to override the RPKI tree Delete overlapping 3779 data as needed Re-home targeted certificates under the RP TA 9

An RPKI TA Example (1/2) 10 APNIC IANA Reserved addresses LACNIC Unallocated addresses ARINAFRINICRIPE

An RPKI TA Example (2/2) 11 APNICIANA Reserved addresses LACNIC Unallocated addresses ARINAFRINICRIPE

RPKI with Local Control 12 APNIC Reserved addresses LACNIC Unallocated addresses ARINAFRINICRIPE

A More Elaborate Example 13 ARIN FOO BAR ARIN (- BAR) BAR As offered by ARINAs managed by an RP FOO FOOs certificate need not be modified, because path building will fail at ARIN

What does this do? It allows each RP to override the nominal RPKI hierarchy, on a local basis It is easy to manage if you want to override resource allocations only for local resources (i.e., your allocations) or IANA reserved allocations It is somewhat harder to manage IF you want to create direct links to many CAs, especially at lower tiers in the hierarchy BBN plans to provide open source software that supports this model, and that works with the rest of our RP software 14

BBN SW Model (revised) Target certificates Modified certificates

What does this Proposal Do? It instantiates an RP as the only TA, a model that offers the ultimate in local policy control It enables each RP to import putative TAs, check them against a local policy, and reissue their (self-signed) certificates to match the local policy, as needed It allows re-homing of selected RPKI sub-trees at any tier, at the cost of additional policy specifications and a few more certificate issuance operations It allows a local authority to specify a policy and then export the results of applying that policy (to the RPKI) to other RPs that are willing to rely upon that local authority 16

What Else is Needed? We need a good way to express an RPs local policy, to drive certificate re-issuance & re-homing Might specify this policy as a hash of the target certificates public key (SKI) and the 3779 extensions to be used A good GUI might help This proposal does NOT Address how to represent TA info for RIRs Say how to acquire and verify putative TA info Provide details of how to manage the local cache when it is modified by this local policy enforcer, e.g., breaking AIA/SIA links and manifests 17

What do we Call This? 18 Multi-Entity Facets of Internet Resource Trust ME FIRST Courtesy of Richard Barnes

Questions? 19

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.