1 PKI Disaster Recovery and Key Rollover Bull S.A.S.

Slides:

Advertisements

Similar presentations

A Profile for Trust Anchor Material for the Resource Certificate PKI Geoff Huston SIDR WG IETF 74.

Advertisements

Chapter 14 – Authentication Applications

Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

MPKI Interoperability I-D ChangeLog from -01 to -02 Jan 16, 2004 Masaki SHIMAOKA SECOM Trust.net.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

An In-Depth Examination of PKI Strengths, Weaknesses and Recommendations.

APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.

CS526 – Advanced Internet And Web Systems Semester Project Public Key Infrastructure (PKI) By Samatha Sudarshanam.

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

DNS-centric PKI Sean Turner Russ Housley Tim Polk.

Long-term Archive Service Requirements draft-ietf-ltans-reqs-00.txt.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

9/20/2000www.cren.net1 Root Key Cutting and Ceremony at MIT 11/17/99.

Controller of Certifying Authorities Public Key Infrastructure for Digital Signatures under the IT Act, 2000 : Framework & status Mrs Debjani Nag Deputy.

Online AAI José A. Montenegro GISUM Group Security Information Section University of Malaga Malaga (Spain) Web:

1 Update on draft-ietf-smime-cades Current Status Completed last call. Under review by IESG. Comments to be incorporated: –From Pavel Smirnov (during.

Trust Anchor Management Problem Statement 69 th IETF Trust Anchor Management BOF Carl Wallace.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

+1 (801) Standards for Registration Practices Statements IGTF Considerations.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.

Configuring Directory Certificate Services Lesson 13.

DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.

Certificate revocation list

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

Technical Working Group December 2000 Mark Davis Andrew Nash.

National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.

CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.

Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.

A Brief Overview of draft-ietf-sidr-cp-01.txt draft-ietf-sidr-cps-rirs-01.txt draft-ietf-sidr-cps-isp-00.txt Steve Kent BBN Technologies.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

1 SeGW Certificate profile (Revised) 3GPP2 TSG-S WG4 /TSG-X WG5 (PDS) S X xx Source: QUALCOMM Incorporated Contact(s): Anand.

Security in ebXML Messaging CPP/CPA Elements. Elements of Security P rivacy –Protect against information being disclosed or revealed to any entity not.

BGPSEC Router Key Roll-over draft-rogaglia-sidr-bgpsec-rollover-00 Roque Gagliano Keyur Patel Brian Weis.

Protocols for public-key management. Key management –two problems Distribution of public keys (for public- key cryptography) Distribution of secret keys.

26 July 2007IETF 69 PKIX1 Use of WebDAV for Certificate Publishing and Revocation

National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.

PKI Future Directions 29 November 2001 Russ Housley RSA Laboratories CS – Class of 1981.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Bridge Certification Architecture A Brief Overview by Tim Sigmon May, 2000.

NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.

Wed 24 Mar 2010SIDR IETF 77 Anaheim, CA1 SIDR Working Group IETF 77 Anaheim, CA Wednesday, Mar 24, 2010.

Comments on draft-ietf-pkix-rfc3280bis-01.txt IETF PKIX Meeting Paris - August 2005 Denis Pinkas

MICS Authentication Profile Maintenance & Update Presented for review and discussion to the TAGPMA On 1May09 by Marg Murray.

Key Rollover for the RPKI Steve Kent (Channeling Geoff Huston )

AAVS Middleware Security Group Bob Cowles CERN – September 14, 2005.

Framework on Key Compromise, Key Loss & Key Rollover

Public Key Infrastructure Using X.509 (PKIX) Working Group

Document update - what has happened since GGF11

Trust Anchor Management Problem Statement

Cryptography and Network Security

Public Key Infrastructure Using X.509 (PKIX) Working Group

Security in ebXML Messaging

زير ساخت كليد عمومي و گواهي هويت

Resource Certificate Profile

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006

National Trust Platform

OCSP Requirements GGF13.

Presentation transcript:

1 PKI Disaster Recovery and Key Rollover Bull S.A.S.

2 The topic was originally proposed at the IETF meeting from July 2001 under the name : PKI Disaster Planning and Recovery. There was no interest at that time in the PKIX WG, but many individual demands came later for getting the draft,... even years later. The initial document has been fully redrafted with Joel Kazin, as co-editor. It is proposed as an INFORMATIONAL RFC.

3 General topics The draft identifies various ways to recover from exceptional situations, like private key-compromise or private key-loss and to quickly restore normal operations: it allows to build a disaster recovery plan. Private key-compromise or a private key-loss may happen to : –End-entities, –Certification Authorities, –Revocation Authorities, –Attribute Authorities, or –Time-Stamping Authorities. Denial of service attacks on CRL Repositories is considered. Since certificates have finite validity, CA key-rollover is considered so that it can be planned in advance.

4 End-Entities The cases are different whether the keys are used for authentication, message-confidentiality or non repudiation (i.e. content commitment). The cases are also different for : –keys used to decrypt stored data (Data-at-Rest), and –keys used to decrypt communications (Data-in-Transit).

5 CAs Different cases apply to: –Root CA key-compromise, –Intermediate CA key-compromise. If a CA has issued 10 millions certificates in smartcards, and its issuing private key is compromise, the draft describes a solution, to quickly recover from that situation without re-issuing 10 millions smartcards.

6 Revocation Authorities Addresses: –CRL Issuers, and –OCSP Responders. Makes the difference between: –key-compromise within certificate life-time, –key-compromise beyond certificate life-time.

7 Attribute Authorities Addresses: –Attribute certificate revocation, –Attribute Authority Key compromise, –Attribute Authority Key loss.

8 Time-Stamping Authorities Addresses: –Time-Stamping Unit Key loss, and –Time-Stamping Unit Key compromise. Makes the difference between a compromise: –during the validity period of the TSU certificate, and –after the end of the validity period of the TSU certificate.

9 CRL Repositories Addresses the case of hiding an "emergency CRL" by performing a denial of service attack. Suggests to add a rule in the validation policy: Whenever a CRL is needed, look for it in a cache : - if not present, fetch the CRL as usual and place it in the cache with the time when it was fetched, and use it; - if present, look for the time when it was fetched, and only use it if it was fetched earlier than x minutes, otherwise, look for a new CRL, and use it.

10 Proposed way forward The proposal is to progress the document as a WG document rather than an individual contribution, so that it will be referenced on the PKIX web page. In order to achieve this goal, it is requested: –to consider the acceptance of this work item by PKIX WG, –then, to include this work-item in the work plan. The benefits will be to be able to improve the draft using the expertise from the WG participants.