EMU and DANE Jim Schaad August Cellars. EMU TLS Issues Trust Anchor Matching PKIX cert to EMU Server Name Certificate Revocation Checking – CRLs – OCSP.

Slides:

Advertisements

Similar presentations

A Profile for Trust Anchor Material for the Resource Certificate PKI Geoff Huston SIDR WG IETF 74.

Advertisements

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.

+1 (801) Everything in PKI but the Kitchen Sink (in 30 minutes or less) Jeremy Rowley.

Certificate Revocation Serge Egelman. Introduction What is revocation? Why do we need it? What is currently being done?

Extended Validation Models in PKI Alternatives and Implications Marc Branchaud John Linn

Dane?. Enough said? No? The Longer Version…

CRL Processing Rules Santosh Chokhani November 2004.

COEN 350 Public Key Infrastructure. PKI Task: Securely distribute public keys. Certificates. Repository for retrieving certificates. Method for revoking.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

What’s Next: DNSSEC & RPKI Mark Kosters. Why are DNSSEC and RPKI Important Two critical resources – DNS – Routing Hard to tell when it is compromised.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Assuring e-Trust always 1 Guaranteeing Electronic Trust at all times.

CMSC 414 Computer (and Network) Security Lecture 17 Jonathan Katz.

2/29/2004Profile-04 open issues draft-ietf-ipsec-pki-profile-04.txt (Potentially) Open Issues Gregory M Lebovitz

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.

Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.

CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

SoK: SSL and HTTPS: Revisiting past challenges and evaluating certificate trust model enhancements Presented by: Zhengyang Qu.

CA Key 1 Created OCSP Cert 1 Client Cert 1 Client Cert 2 OCSP Cert 2 CA Key 2 Created CA Key 1 Expiration OCSP Cert 3 Client Cert.

DNS-centric PKI Sean Turner Russ Housley Tim Polk.

PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.

9/20/2000www.cren.net1 Root Key Cutting and Ceremony at MIT 11/17/99.

Measuring DANE TLSA Deployment Liang Zhu 1, Duane Wessels 2, Allison Mankin 2, John Heidemann 1 1. USC ISI 2. Verisign Labs 1.

Data You Can Trust: The Key to Information Security Dr. Burt Kaliski, Jr. Senior Vice President and CTO, Verisign 25 th HP Information Security Colloquium.

IDA Security Experts Workshop Olivier LIBON Vice President – GlobalSign November 2000.

Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

1 Lecture 11 Public Key Infrastructure (PKI) CIS CIS 5357 Network Security.

Active Directory ® Certificate Services Infrastructure Planning and Design Published: June 2010 Updated: November 2011.

1 San Diego, California 25 February Securing Routing: RPKI Overview Mark Kosters Chief Technology Officer.

Assuring e-Trust always 1 Status of the Validation and Authentication service for TACAR and Grids.

draft-kwatsen-netconf-zerotouch-01

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.

S/MIME Certificates Cullen Jennings

XMPP Concrete Implementation Updates: 1. Why XMPP 2 »XMPP protocol provides capabilities that allows realization of the NHIN Direct. Simple – Built on.

CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.

HEPKI-PAG Policy Activities Group David L. Wasley University of California.

July 16, Diameter EAP Application (draft-ietf-aaa-eap-02.txt) on behalf of...

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

1 SeGW Certificate profile (Revised) 3GPP2 TSG-S WG4 /TSG-X WG5 (PDS) S X xx Source: QUALCOMM Incorporated Contact(s): Anand.

Security in ebXML Messaging CPP/CPA Elements. Elements of Security P rivacy –Protect against information being disclosed or revealed to any entity not.

SEC Identity_of_registrar_CSE Identity of Registrar CSE Group Name: SEC, ARC and PRO Source:FUJITSU Meeting Date: Agenda Item: Authentication.

1 Madison, Wisconsin 9 September14. 2 Security Overlays on Core Internet Protocols – DNSSEC and RPKI Mark Kosters ARIN Engineering.

Online Certificate Status Protocol ‘OCSP’ Dave Hirose July Outline: What is OCSP? Digital Signatures Certificate Revocation List Technical aspects.

How to use DNS during the evolution of ICN? Zhiwei Yan.

Path Construction “It’s Easy!” Mark Davis. Current WP Scope u Applications that make use of public key certificates have to validate certificate paths.

CMC and PKI4IPSEC Jim Schaad. Requirements Issues What does MAY really mean What does SHOULD really mean Requirements on Admin Peer Requirements on structure.

Peering: A Minimalist Approach Rohan Mahy IETF 66 — Speermint WG.

DANE/DNSSEC/TLS Testing in the Go6lab Jan Žorž, ISOC/Go6 Institute, Slovenia

Electronic signature Validity Model 1. Shell model Certificate 1 Certificate 2 Certificate 3 Signed document Generate valid signature validCheck invalidCheck.

DANE/DNSSEC/TLS tests from Go6lab – findings and results Jan Žorž, Go6 Institute.

DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.

Measures to prevent MITM attack and their effectiveness CSCI 5931 Web Security Submitted By Pradeep Rath Date : 23 rd March 2004.

Comments on draft-ietf-pkix-rfc3280bis-01.txt IETF PKIX Meeting Paris - August 2005 Denis Pinkas

Insert Your Name Insert Your Title Insert Date Client Registration Examples Alan Frindell Denis Pochuev 4/26/2011.

August 2001 Slide 1 Extensions to TLS Simon Blake-Wilson Certicom David Hopwood Independent Consultant Jan Mikkelsen Transactionware Magnus Nystrom RSA.

Revocation in WebPKI Phill Hallam-Baker Comodo. Standards intersection PKIX OTHER.

DANE/DNSSEC/TLS Testing in the Go6lab Jan Žorž, ISOC/Go6 Institute, Slovenia

Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.

Let’s Encrypt and DANE ENOG 11 | Moscow | 8 Jun 2016.

Key Rollover for the RPKI Steve Kent (Channeling Geoff Huston )

| Presenters: Chris Phillips – CANARIE, Canada Stefan Winter – RESTENA, Luxembourg Looking into the Future:

Why Dane? Geoff Huston Chief Scientist, APNIC. Security on the Internet How do you know that you are going to where you thought you were going to?

Geoff Huston Chief Scientist, APNIC

Living on the Edge: (Re)focus DNS Efforts on the End-Points

ROA Content Proposal November 2006 Geoff Huston.

Certificate Revocation

OCSP Requirements GGF13.

Presentation transcript:

EMU and DANE Jim Schaad August Cellars

EMU TLS Issues Trust Anchor Matching PKIX cert to EMU Server Name Certificate Revocation Checking – CRLs – OCSP

DANE Review Use DNS as alternative or secondary trust framework New Records for cert/public key information – Naming: _._. – Matching: Trust Anchor (Root) CA EE

DANE Stapling Addresses Trust Anchor Issue Addresses matching Certificate Name Create a new _teap._emu. DNS record set Use existing TLSA records Build list of DNSSEC records and pass in TLS extension If necessary – new record for name matching

OCSP Stapling Addresses certificate chain validation Pass OCSP responses in TLS extension Need to establish trust in OCSP responder – Maybe fix with DANE record – Maybe fix by returning CRLs – Maybe fix by making the Trust Anchor the OCSP responder

Work List Need DANE naming convention done in EMU Need DANE stapling TLS extension – Probably done in DANE Need OCSP stapling TLS extension done in TLS – Draft-pettersen-tls-ext-multiple-ocsp-03.txt

Questions?