Revocation in MICS §4.4 May 11-13, 2009 Zürich, Switzerland.

Slides:

Advertisements

Similar presentations

Usage of PGP in TACAR 19th OGF Meeting Chapel Hill, USA February 1, 2007 Licia Florio Project Development Officer

Advertisements

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.

RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.

A responsibility based model EDG CA Managers Meeting June 13, 2003.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Public Key Management and X.509 Certificates

Report on Attribute Certificates By Ganesh Godavari.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,

ARIN Clarifying Requirements for IPv4 Transfers Dan Alexander- Primary Shepherd David Farmer- Secondary Shepherd.

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.

CVE , lessons learned and actions David Groep, Nov 7 nd, 2008.

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.

IOTA Questions for RPs Sept 9, 2013 Bucharest, Romania.

Large-scale issuing of host certs in a member-integrated or institutional CA environment.

Configuring Directory Certificate Services Lesson 13.

SECURITY MANAGEMENT Key Management in the case of public-key cryptosystems, we assumed that a sender of a message had the public key of the receiver at.

Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Nov 7 nd, 2008.

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.

CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 5 – Configure Site-to-Site VPNs Using Digital Certificates.

NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.

Updates from the EUGridPMA David Groep, July 16 st, 2007.

IHEP Grid CA Status Report Gongxing Sun F2F Meeting 20 Apr Computing Centre, IHEP,CAS,China.

IHEP Grid CA Status Report Wei F2F Meeting 8 Mar Computing Centre, IHEP,CAS,China.

User Certificate Application: ASGCCA. Agenda Introduction ASGCCA User Responsibilities Certificate application form RA verify identity of users User generate.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.

EUGridPMA status and updates David Groep, GGF18. EUGridPMA Status Update, TAGPMA Ottawa David Groep – Items  EUGridPMA.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Academia Sinica Computing Centre.

Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.

IOTA Questions for RPs Sept 9, 2013 Bucharest, Romania.

SHA-2, current trends and some technical topics March 2013 Taipei, TW David Groep, Nikhef & EUGridPMA.

Discussions on the Life Ray Portal and credential management David Groep, Oct 11 th, 2011.

IOTA AP Towards Differentiated Identity Assurance David Groep, Nikhef supported by the Netherlands e-Infrastructure and SURFsara.

EUGridPMA status and updates David Groep, TAGPMA Ottawa Summit 2006.

Community PKIs Initiatives Updates TF-EMC2 Meeting Loughborough, UK 6-7 May, 2009 Licia Florio, TERENA

8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK

MICS Authentication Profile Maintenance & Update Presented for review and discussion to the TAGPMA On 1May09 by Marg Murray.

TACAR Updates version David Groep, NIKHEF. 9 th EUGridPMA ‘RAL’ meeting – Jan David Groep – TACAR Aims  Trusted and.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America The Latin American Catch-all Grid Certification.

NIIF CA Status Update and Self-Audit Results 15 th EUGridPMA meeting Nicosia Tamás Máray NIIF Institute.

Baltic Grid Certification Authority 15th EUGridPMA, January 28th 2009, Nicosia1 Self-audit Hardi Teder EENet.

TR-GRID CA Self-Auditing Results and Status Update EUGridPMA Meeting September 12-14, 2011 Marrakesh Feyza Eryol, Onur Temizsoylu TUBITAK-ULAKBIM

FP6−2004−Infrastructures−6-SSA [ Empowering e Science across the Mediterranean ] Rome, Tutorial for Certification Authority Managers,

Summary of Poznan EUGridPMA32 September EUGridPMA Poznan 2014 meeting – 2 David Groep – Welcome back at PSNC.

18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.

Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )

Feyza Eryol TÜBİTAK ULAKBİM TR-GRID CA SELF-AUDIT & UPDATES.

EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI IGTF & EUGridPMA status update SHA-2 – and more (David Groep,

UGRID CA Self-audit report Sergii Stirenko 21 st EUGRIDPMA Meeting Utrecht 24 January 2011.

HellasGrid CA self Audit. In general We do operations well Our policy documents need work (mostly to make the text clearer in a few sections) 2.

News from EUGridPMA EGI OMB, 22 Jan 2013 David Kelsey (STFC) Using notes from David Groep 22/01/20131EUGridPMA News.

Key Rollover for the RPKI Steve Kent (Channeling Geoff Huston )

Updates from the EUGridPMA David Groep, Oct 17 st, 2007.

29 th EUGridPMA meeting, September 2013, Bucharest AEGIS Certification Authority Dušan Radovanović University of Belgrade Computer Centre.

Soapbox (S-Series) Certificate Validation Jens Jensen, STFC.

PKGrid CA Self-Audit 2012 Adeel-ur-Rehman Mansoor Sheikh.

TAG Presentation 18th May 2004 Paul Butler

JLR, Tozny, and DHS Isaac Potoczny-Jones

AEGIS Certification Authority

TAG Presentation 18th May 2004 Paul Butler

The IGTF Charter Name uniqueness throughout the IGTF is anchored in the Charter Current Charter assigns a namespace to an Authority, implying that the.

ROA Content Proposal November 2006 Geoff Huston.

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006

Presentation transcript:

Revocation in MICS §4.4 May 11-13, 2009 Zürich, Switzerland

15 th EUGridPMA Nicosia meeting – Jan David Groep – Current MICS  4.4 Revocation  If the MICS implements revocation, revocation requests can be made by certificate holders, IdM managers and the MICS CA. These requests must be properly authenticated. Others can request revocation if they can sufficiently prove compromise or exposure of the associated private key.  The IdM manager must suspend or revoke authentication if member data changes or the traceability to the person is lost. Suspension or revocation must last until identity is updated and confirmed according to IdM policies.  Individual holders of a MICS certificate must request revocation if the private key pertaining to the certificate is lost or has been compromised, or if the data in the certificate are no longer valid.

15 th EUGridPMA Nicosia meeting – Jan David Groep – Language is ambiguous 4.4 Revocation  If the MICS implements revocation, revocation requests can be made by certificate holders, IdM managers and the MICS CA. These requests must be properly authenticated. Others can request revocation if they can sufficiently prove compromise or exposure of the associated private key.  The IdM manager must suspend or revoke authentication if member data changes or the traceability to the person is lost. Suspension or revocation must last until identity is updated and confirmed according to IdM policies.  Individual holders of a MICS certificate must request revocation if the private key pertaining to the certificate is lost or has been compromised, or if the data in the certificate are no longer valid.

15 th EUGridPMA Nicosia meeting – Jan David Groep – 1 st proposal for clarification  The IdM manager must suspend or revoke eligibility to obtain a certificate if traceability to the person is lost, and must ensure any changes to member data pertinent to certificate issuance are promptly made available to the MICS CA on issuance of any new certificate to a member.  And a lot of discussion followed

15 th EUGridPMA Nicosia meeting – Jan David Groep – MICS proposal from Marg  The accreditation process must address how the IdM maintains persistence, uniqueness and traceability of each individual person.  Certificates implicitly expire if the IdM can no longer provide persistence, uniqueness, and traceability to the individual.  Upon loss of traceability, the CA Manager must suspend or revoke the ability for that individual to get a MICS certificate and should revoke any already issued certificates unless they expire in less than 1Ms."  which may suggest that you must be able to address the persistence of all possible individuals that might request a cert for each and every individual. Also, the 'implicitly expire' now comes across as something that will magically happen.

15 th EUGridPMA Nicosia meeting – Jan David Groep – Updated proposal  The CP/CPS must address how the IdM maintains persistence and traceability for entities that are eligible for a MICS certificate, and how name uniqueness is guaranteed.  Certificates may be left to expire implicitly if the status of the entity in the IdM changes, if and only if traceability information to the individual is retained.  Upon loss of traceability, the CA Manager must suspend or revoke the ability for that individual to get a MICS certificate and should revoke any already issued certificates unless they expire in less than 1Ms.  But also this caused a lot of discussion in the TAGPMA

15 th EUGridPMA Nicosia meeting – Jan David Groep – 1 st proposal for clarification  The IdM manager must suspend or revoke eligibility to obtain a certificate if traceability to the person is lost, and must ensure any changes to member data pertinent to certificate issuance are promptly made available to the MICS CA on issuance of any new certificate to a member.  or  The IdM manager must suspend or revoke authentication to the IdM if …  What were the issues with originally proposed clarification?

15 th EUGridPMA Nicosia meeting – Jan David Groep – New text? 4.4 Revocation  If the MICS implements revocation, revocation requests can be made by certificate holders, IdM managers and the MICS CA. These requests must be properly authenticated. Others can request revocation if they can sufficiently prove compromise or exposure of the associated private key.  The IdM manager must suspend or revoke authentication to the IdM if member data changes or the traceability to the person is lost. Suspension or revocation must last until identity is updated and confirmed according to IdM policies.  Individual holders of a MICS certificate must request revocation if the private key pertaining to the certificate is lost or has been compromised, or if the data in the certificate are no longer valid.