Path Construction “It’s Easy!” Mark Davis. Current WP Scope u Applications that make use of public key certificates have to validate certificate paths.

Slides:



Advertisements
Similar presentations
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
Advertisements

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Semantics Static semantics Dynamic semantics attribute grammars
File Server Organization and Best Practices IT Partners June, 02, 2010.
SOFTWARE TESTING. INTRODUCTION  Software Testing is the process of executing a program or system with the intent of finding errors.  It involves any.
Extended Validation Models in PKI Alternatives and Implications Marc Branchaud John Linn
CRL Processing Rules Santosh Chokhani November 2004.
1 Lecture 13: Public Key Infrastructure terms PKI trust models –monopoly with registration authorities with delegated certificate authorities –oligarchy.
Validation Algorithms for a Secure Internet Routing PKI David Montana Mark Reynolds BBN Technologies.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Fed/Ed PKI 2008, June Subject Unique Identifier or Equivalent William A. Weems & Mark B. Jones Academic Technology U. Texas Health Science Center at Houston.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
PKIF TWG Report 29 June 2000 Mark Davis Andrew Nash et al.
MPKI Interoperability I-D ChangeLog from -01 to -02 Jan 16, 2004 Masaki SHIMAOKA SECOM Trust.net.
MPKI Interoperability I-D ChangeLog from -00 to -01 Oct 27, 2003 Masaki SHIMAOKA SECOM Trust.net.
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.
APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.
CS526 – Advanced Internet And Web Systems Semester Project Public Key Infrastructure (PKI) By Samatha Sudarshanam.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.
CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Project title Team Members. Project Title Brief description of the project in bullet form.
Certificate Path Building draft-ietf-pkix-certpathbuild-01.txt Peter Hesse Matt Cooper Yuriy Dzambasow Susan Joseph Richard Nicholas.
PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.
14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.
1 What NOT to do I get sooooo Frustrated! Marking the SAME wrong answer hundreds of times! I will give a list of mistakes which I particularly hate marking.
F. Guilleux, O. Salaün - CRU Middleware activities in French Higher Education.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.
Technical Working Group June 2001 Andrew Nash Steve Lloyd.
Java Security Pingping Ma Nov 2 nd, Overview Platform Security Cryptography Authentication and Access Control Public Key Infrastructure (PKI)
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.
Unit 1: Protection and Security for Grid Computing Part 2
Technical Working Group December 2000 Mark Davis Andrew Nash.
Bridge Certification Architecture A Brief Demo by Tim Sigmon and Yuji Shinozaki June, 2000.
Digital Signatures A Brief Overview by Tim Sigmon April, 2001.
HEPKI-PAG Policy Activities Group David L. Wasley University of California.
Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.
PKI Forum Mission “The PKI Forum is an international, not-for-profit, multi- vendor and end-user alliance whose purpose is to accelerate the adoption and.
Compliance Defects in Public- key Cryptography “ A public-key security system trusts its users to validate each others’s public keys rigorously and to.
Integrating security services with the automatic processing of content TERENA 2001 Antalya, May 2001 Francesco Gennai, Marina Buzzi Istituto.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian
Update on PKI Activities in the Spanish Academic Network PKI-COORD November 26, Amsterdam.
PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.
Bridge Certification Architecture A Brief Overview by Tim Sigmon May, 2000.
EMU and DANE Jim Schaad August Cellars. EMU TLS Issues Trust Anchor Matching PKIX cert to EMU Server Name Certificate Revocation Checking – CRLs – OCSP.
1 APNIC Trial of Certification of IP Addresses and ASes RIPE October 2005 Geoff Huston.
Comments on draft-ietf-pkix-rfc3280bis-01.txt IETF PKIX Meeting Paris - August 2005 Denis Pinkas
SSH/SSL Attacks not on tests, just for fun. SSH/SSL Should Be Secure Cryptographic operations are secure SSL uses certificates to authenticate servers.
LDAP for PKI Problems Cannot search for particular certificates or CRLs Cannot retrieve particular certificates or CRLs.
EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI TF.
CDB Chris Bonatti (IECA, Inc.) Tel: (+1) Proposed PKI4IPSEC Certificate Management Requirements Document IETF #60 – PKI4IPSEC Working.
Resource Certificate Provisioning Protocol Geoff Huston IETF 70 December 2007.
SOFTWARE TESTING LECTURE 9. OBSERVATIONS ABOUT TESTING “ Testing is the process of executing a program with the intention of finding errors. ” – Myers.
Draft-dploy-requirements-00 Overview: draft-dploy-requirements-00 Gregory M Lebovitz pki4ipsec BOF.
TAG Presentation 18th May 2004 Paul Butler
Advanced Higher Computing Science
Software Testing.
Cryptography and Network Security
TAG Presentation 18th May 2004 Paul Butler
Why Do We Need More Research?
Authentication Applications
Security, Cryptography, and Magic
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006
Presentation transcript:

Path Construction “It’s Easy!” Mark Davis

Current WP Scope u Applications that make use of public key certificates have to validate certificate paths. u Before validating a certificate path, it is first necessary to construct that path. u This means finding a set of certificates that appears to chain up to a trust point. u This white paper describes issues that implementers of PKI technology have to face when developing certificate path construction code, for example, considering issues with different sources of certificates (LDAP, databases etc) and how to avoid "loops".

So What is the Problem? u Does not seem to work in the real world u Brought up as area of interest at first PKI Forum u Standards seem to address the problem u Objectives: –Identify parts of the task –Describe the problem –How can PKI Forum make progress?

Path Construction u Want to validate a certificate u You have some trusted roots u Each certificate has “issuer name” –May have other information u Path validation described in standards –Start with root –Check each cert (cert, policy, revocation status) –When check of cert of interest complete, then work is done

No Problem. Well … u Finding the certificates –Mostly an LDAP problem u Finding a path –Graph theory problem u Checking a path –Good news! Recognizable correct answer –Whose rules Certificate may or may not contain standard profile Roots may be from different profiles

#1 Finding Missing Certificate u Can’t identify certificate –DN non proper –Cert storage not related to Issuer DN –LDAP u “Path Policy” may not use X.509 certificates –PKCS #7 u Interdomain directory authorization problems

#2 Finding the path u Assuming you can find the certificates u In real life, number of certificates well bounded u Graph traversal algorithms well understood –I admit that building routing algorithms is hard. But somebody else already did it. –We do not introduce new problems u Each Cert Issuer -> Issue Cert link must be handled by SW u Partial Path’s –SW must parse partial path and maintain like as above

Other Problems u…u…

What does the paper need to say – Mark’s Version u LDAP is hard (see LDAP WP) u Sometimes you don’t use LDAP to get Certificates (see …) u Graph Traversal is hard (see Knuth) u Path construction is easy!

What does the paper need to say – WG Consensus Version u List the problems with LDAP u Recommend protocols and business logic solve as much as problem as possible u Error Handling needs guidance u CA-CA paper must give guidance to bound path construction u Path construction may be a resource intensive –server may be better than on small device u Environmental impacts described

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.