Certificates and FIPS 201 Tim Polk March 3, 2006.

Slides:

Advertisements

Similar presentations

DIGITAL CERTIFICATES Prof. Ravi Sandhu. 2 © Ravi Sandhu PUBLIC-KEY CERTIFICATES reliable distribution of public-keys public-key encryption sender needs.

Advertisements

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.

Hash Function Firewalls in Signature Schemes Burt Kaliski, RSA Laboratories IEEE P1363 Working Group Meeting June 2, 2000 (Rev. June 8, 2000)

FIPS 201 Framework: Special Pubs ,76,78 Jim Dray HSPD-12 Workshop May 4/5, 2005.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

Certificate Revocation Serge Egelman. Introduction What is revocation? Why do we need it? What is currently being done?

15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.

1 eID validations services Houcine Bel Mamoune Unit manager eID Technical Drill down Session 7 April 2005.

Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.

1 ISA 562 Information Systems Theory and Practice 10. Digital Certificates.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Tim Polk, NIST PKI Overview Tim Polk, NIST

NIST Special Publication Biometric Data Specification for Personal Identity Verification March 3, 2006 Update.

Sentry: A Scalable Solution Margie Cashwell Senior Sales Engineer Sept 2000 Margie Cashwell Senior Sales Engineer

Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.

An In-Depth Examination of PKI Strengths, Weaknesses and Recommendations.

Federal Information Processing Standard (FIPS) 201, Personal Identity Verification for Federal Employees and Contractors Tim Polk May.

APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.

PIV Data Model Testing Ketan Mehta March 3, 2006.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report.

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.

UNCLASS DoD Public Key Infrastructure LCDR Tom Winnenberg DISA API1 Chief Engineer 25 April 2002.

TrustPort Public Key Infrastructure. Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

NASA Personal Identity Verification (PIV) NASA Personal Identity Verification (PIV) High Level System Overview Tice F. DeYoung, PhD 14th Fed/Ed Workshop.

1 Windows Vista PKI Enhancement in Windows 7 and Windows Server 2008 R2.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Securing Data at the Application Layer Planning Authenticity and Integrity of Transmitted Data Planning Encryption of Transmitted Data.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Java Security Pingping Ma Nov 2 nd, Overview Platform Security Cryptography Authentication and Access Control Public Key Infrastructure (PKI)

02/22/2005 Joint Seminer Satoshi Koga Information Technology & Security Lab. Kyushu Univ. A Distributed Online Certificate Status Protocol with Low Communication.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.

IEEE MEDIA INDEPENDENT HANDOVER DCN: MuGM Title: TGd Message Signing Proposal Date Submitted: Presented at IEEE d session.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.

IST E-infrastructure shared between Europe and Latin America ULAGrid Certification Authority Vanessa Hamar Universidad de Los.

Certificate Requests to HIP Jani Pellikka 80 th IETF Mar 27 th – Apr 1 st 2011 Prague, Czech Republic.

Online Certificate Status Protocol ‘OCSP’ Dave Hirose July Outline: What is OCSP? Digital Signatures Certificate Revocation List Technical aspects.

Washington System Center © 2005 IBM Corporation August 25, 2005 RDS Training Secure Socket Layer (SSL) Overview z/Series Security (Mary Sweat, Greg Boyd)

PKI Future Directions 29 November 2001 Russ Housley RSA Laboratories CS – Class of 1981.

Some Technical Issues in PKI Deployment David Chadwick

1 APNIC Trial of Certification of IP Addresses and ASes RIPE October 2005 Geoff Huston.

NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.

Public Key Infrastructure Using X.509 (PKIX) Working Group March 20,

LDAP for PKI Problems Cannot search for particular certificates or CRLs Cannot retrieve particular certificates or CRLs.

1 Public Key Infrastructure Rocky K. C. Chang 6 March 2007.

KMIP PKCS#12 February 2014 Tim Hudson – 1.

August 2001 Slide 1 Extensions to TLS Simon Blake-Wilson Certicom David Hopwood Independent Consultant Jan Mikkelsen Transactionware Magnus Nystrom RSA.

Transport Layer Security (TLS) Extensions: Extension Definitions draft-ietf-tls-rfc4366-bis-00.

ECC Design Team: Initial Report Brian Minard, Tolga Acar, Tim Polk November 8, 2006.

Revocation in WebPKI Phill Hallam-Baker Comodo. Standards intersection PKIX OTHER.

GRID-FR French CA Alice de Bignicourt.

NECTEC-GOC CA A Brief Status Report 13 th APGrid PMA Face-to-Face meeting March 24 th, 2014 Large-Scale Simulation Research Laboratory Information Communications.

News from EUGridPMA EGI OMB, 22 Jan 2013 David Kelsey (STFC) Using notes from David Groep 22/01/20131EUGridPMA News.

Ketan Mehta March 3, 2006 PIV Data Model Testing Ketan Mehta March 3, 2006.

Public Key Infrastructure Using X.509 (PKIX) Working Group

ASN.1: Cryptographic files

Dan Brown, Certicom Research November 10, 2004

کاربرد گواهی الکترونیکی در سیستمهای کاربردی (امضای دیجیتال)

Public-Key Certificates

Resource Certificate Profile

Presentation transcript:

Certificates and FIPS 201 Tim Polk March 3, 2006

X.509 Certificate and Certificate Revocation List (CRL) Extensions Profile for the Shared Service Providers (SSP) Program [February 6, 2006]

Common Certificate & CRL Profile Updated February 2006 –Added FIPS 201 specific certificate profiles PIV Authentication certificate Card Authentication certificate –Enhanced Signature Certificate profile to identify PIV Content Signers

What’s different? Departs from current best practice to meet new requirements –Different public keys –New signature options –Larger certificates –FASC-N –Extended key usage extension –Multiple status mechanisms –PIV interim extension

Different public keys Bigger RSA keys –2048 and 3072 bit keys ECC keys for bit curves

New signature options ECDSA signatures SHA-224 and SHA-256 PSS padding

Larger Certificates Certificate size is dominated by the public key and the signature –3072 bit keys means a larger maximum certificate size Multiple URLs for status mechanisms can add size if URLs are too long

FASC-N The FASC-N is encoded as an additional name in the certificate to link the physical and logical credentials

Extended key usage This extension is required to differentiate the card authentication key from the PIV authentication key

Status Mechanisms Certificates include http and ldap pointers to CRLs PIV and card authentication certificates include pointer to OCSP server

PIV Interim Extension New, private extension required to indicate investigation status –Noncritcal extension –Specifies whether a NACI is completed at the time of certificate issuance

X.509 Certificate and Certificate Revocation List (CRL) Extensions Profile for the Shared Service Providers (SSP) Program [February 6, 2006]