Communications-Electronics Security Group. PKI interoperability issues for UK Government Richard Lampard

Slides:



Advertisements
Similar presentations
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Advertisements

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.
Practical Digital Signature Issues. Paving the way and new opportunities. Juan Carlos Cruellas – DSS-X co-chair Stefan Drees - DSS-X.
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
Tim Polk, NIST PKI Overview Tim Polk, NIST
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
The OpenEvidence Project Peter Sylvester, EdelWeb IETF - N° 57, Wien PKIX working group.
Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.
European Signatures versus Global SignaturesRome, 7 April, 2003 EESSI open specifications and interoperability The state of the art in Italy Giovanni Manca.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report.
Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.
CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Trusted Archive Protocol (TAP) Carl Wallace
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
VDA Security Services Freeware Libraries Update IETF S/MIME WG 29 March 2000 John Pawling J.G. Van Dyke & Associates (VDA), Inc;
Digital Certificates With Chuck Easttom. Digital Signatures  Digital Signature is usually the encryption of a message or message digest with the sender's.
1 Lecture 11 Public Key Infrastructure (PKI) CIS CIS 5357 Network Security.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
S/MIME Freeware Library IETF S/MIME WG 13 December 2000 Getronics Government Solutions.
Technical Working Group June 2001 Andrew Nash Steve Lloyd.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
D D S PKI and Certs in LDAP Peter Gietz, DFN Directory services PKI and storage of PGP and X.509 certificates in LDAP LDAP Deployment BoF Amsterdam
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Certificate revocation list
CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.
Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.
Attribute Certificate By Ganesh Godavari. Talk About An Internet Attribute Certificate for Authorization -- RFC 3281.
OpenEvidence and ESS Peter Sylvester, EdelWeb IETF - N° 57, Wien S/MIME working group.
Michael Myers VeriSign, Inc.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.
Security in ebXML Messaging CPP/CPA Elements. Elements of Security P rivacy –Protect against information being disclosed or revealed to any entity not.
Communications-Electronics Security Group. PKI interoperability issues for UK Government … again Richard Lampard
© 2003 The MITRE Corporation. All rights reserved For Internal MITRE Use Addressing ISO-RTO e-MARC Concerns: Clarifications and Ramifications Response.
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.
PKI Future Directions 29 November 2001 Russ Housley RSA Laboratories CS – Class of 1981.
CMP Presentation Stephen Farrell Baltimore Technologies.
INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.
Some Technical Issues in PKI Deployment David Chadwick
1 APNIC Trial of Certification of IP Addresses and ASes RIPE October 2005 Geoff Huston.
Status Report SIDR and Origination Validation Geoff Huston SIDR WG, IETF 71 March 2008.
Certification Path Processing in the Tumbleweed Validation Authority Product Line Federal Bridge CA Meeting 10/14/2004 Stefan Kotes, Engineering Manager.
Public Key Infrastructure Using X.509 (PKIX) Working Group March 20,
1 Public Key Infrastructure Dr. Rocky K. C. Chang 25 February, 2002.
EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI CF.
Public Key Infrastructure Using X.509 (PKIX) Working Group
ASN.1: Cryptographic files
December 13, 2000 Robert Moskowitz
Cryptography and Network Security
Introduction to PKI Novell BrainShare 2002 Tammy Green
Public Key Infrastructure Using X.509 (PKIX) Working Group
کاربرد گواهی الکترونیکی در سیستمهای کاربردی (امضای دیجیتال)
CompTIA Security+ Study Guide (SY0-401)
CompTIA Security+ Study Guide (SY0-501)
APNIC Trial of Certification of IP Addresses and ASes
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006
Tim Polk, NIST PKI Program Manager March 2000
OCSP Requirements GGF13.
Presentation transcript:

Communications-Electronics Security Group

PKI interoperability issues for UK Government Richard Lampard

Structure 1.What is CLOUD COVER? 2.Interoperability testing 3.Trust models 4.Wish list 5.Summary

1.What is CLOUD COVER? CLOUD COVER aims to ensure that government departments have access to the widest possible range of secure, interoperable and cost effective PKI solutions.

2.Interoperability testing CA

2.Interoperability testing PCA CA

2.Interoperability testing COAST system is very, very simple … … but it took a lot of work to achieve interoperability!

2.Interoperability testing Experiences in COAST –misinterpretations of standards e.g. wrong version –encoding problems e.g. DER versus BER, GeneralizedTime vs UTCTime, DN ordering –problems with tools e.g. ASN.1 compiler bugs –dealing with incorrect behaviour e.g. processing certification requests –missing functionality e.g. ARLs –mistakes e.g. keyUsage & basicConstraints –invalid assumptions e.g. populating keyIdentifier –implementation limitations e.g. serial number length

2.Interoperability testing Requirement Simple, interoperable solution Fully functional, interoperable solution Fully functional, non-interoperable solution Very hard! Very, very hard indeed!

2.Interoperability testing CA Repository

HMG Root CA (Baltimore) Ministry of Education (Entrust) Ministry of Works (Baltimore) Ministry of Transport (Entegrity) Ministry of Truth (NIST) Ministry of Plenty (Spyrus) 2.Interoperability testing

Conclusion? It doesn’t work!

2.Interoperability testing Experiences with testbed: –on-line cross certification relies upon proprietary protocol exchanges, procedures and token standards –certificate extensions not processed –directory schema e.g. same OID representing different object classes –inability to use same Directory –name encoding e.g PrintableString vs TeletextString, RFC 822 address included in DN

2.Interoperability testing Manual cross certification between different products is limited –achieved between other products and Notary –using Entegrity PKIBench toolkit –pre-certificate imported to Notary CA –Entegrity token created for it –could develop similar toolkits for all other products

2.Interoperability testing What is happening to the IETF!? –divergent working groups (PKIX, SPKI, OpenPGP) –competing PKIX standards (CMC versus CMP) –massive proliferation of standards...

2.Interoperability testing  Representation of elliptic curve DSA (ECDSA) keys and signatures in Internet X.509 PKI certificates  Certificate management message formats (CMMF)  Certificate management messages over CMS (CMC)  Caching on-line certificate status protocol  Web based certificate access protocol (WebCAP/1.0)  Enhanced CRL distribution options(OCDP)  Time stamp protocols  Data validation and certification server protocols  PKIX roadmap  Qualified certificates  Diffie-Hellman proof of possession algorithms  An Internet attribute certificate profile for authorisation  Basic event representation token v1  Extending trust in non-repudiation tokens in time  Simple certificate validation protocol (SCVP)  Using HTTP as a transport protocol for CMP  Limited attribute acquisition protocol  RFC Certificate and CRL profile  RFC Certificate management protocols (CMP)  RFC 2511 – Certificate request message format (CRMF)  RFC Certificate policy and certificate practices framework  RFC 2528 – Representation of key exchange algorithm (KEA) keys in Internet X.509 PKI certificates  RFC 2559 – Operational protocols: LDAPv2  RFC 2560 – Online certificate status protocol (OCSP)  RFC 2585 – Operational protocols: FTP and HTTP  RFC 2587 – LDAPv2 schema  Operational protocols: LDAPv3  Limited attribute certificate acquisition protocol  OCSP extensions  Using HTTP as a transport protocol for CMP  Using TCP as a transport protocol for CMP  A string representation of general name – allows representation of GeneralName when not using ASN.1 encoded protocol (e.g. configuration file)  Technical requirements for a non-repudiation service  PKIX profile for IKE – allows use of PKIX certificates with IPSec.

3.Trust models B R We would like to use all three in Government... … but we are generally stuck with hierarchies

4.Wish list PKI Forum should feed into IETF PKIX WG Don’t forget client interoperability and Directory issues Interoperability should not be exclusive among Forum members Testing service or reference implementation Liaise with other initiatives e.g. ECAF, TIE, Identrus

5.Summary Lack of interoperability will be a major problem for UK Government PKI Forum efforts are very welcome Ensure that the work is coordinated with other international efforts

Communications-Electronics Security Group

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.