Download presentation
Presentation is loading. Please wait.
1
Jim Schaad Soaring Hawk Security
RFC 2511 BIS (CRMF) Jim Schaad Soaring Hawk Security
2
Proof of Possession (POP)
Provide evidence that the following two conditions are met I have use of the private key My identity is <your name here> Owner of key can always produce a false POP for somebody else
3
POP - Methods Document defines 6 different methods for POP
Signature Based Surrender of private key Direct (Challenge Response) Indirect (Decrypt Certificate) Key Agreement HMAC RA Asserts POP is completed
4
POP - Sign Sign Satisfies the POP requirement Public Key
Identity Statement Satisfies the POP requirement
5
POP – Surrender Private Key
Encrypt private key for the CA/RA Proves key possession only. Allows for theft of POP proof. Sufficient to do? ECA(private key, identity statement) Encrypted structure currently not specified. CMS? Other? Content?
6
POP – Direct/Indirect Receive EEE(value) Decrypt and return value
Shows use of key Does not show identity Does it need to be fixed – if so how?
7
POP – DH-HMAC Produce a shared secret with CA/RA
HMAC the request with derived key Send result with enrollment message Proves use of private key Proves identity sometimes Need to ensure identity is in the hashed value at all times
8
Blocking Issues POP issues as previously noted
DH-MAC needs to be extended for other key – provide algorithm and value Protocol Encryption Key Control Specifies key, but not any algorithms
9
Blocking Issues Reg Token and Authenticator control
Can’t do binary in UTF8 string Type has changed but not OID since RFC 2511 Reg Token algorithm undefined if computed Need better distinguishing text
10
Blocking Issues Archival Key Gen parameter structure not defined
Key Gen parameter structure not encrypted Encryption key not specified CA? RA? User’s? Discovery of encryption algorithms to use
11
Blocking Issues RegInfo Control overloads the use of ‘%’
Name?Value%[Name?Value%]* %xx if % and ? Not be used as delimiters
12
Questions
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.