Presentation is loading. Please wait.

Presentation is loading. Please wait.

Issuing delegate certs to Customer AF using Cross-Certification

Published byTommasina Grilli Modified over 5 years ago

Similar presentations

Presentation on theme: "Issuing delegate certs to Customer AF using Cross-Certification"— Presentation transcript:

1 Issuing delegate certs to Customer AF using Cross-Certification
Feb 19, 2019 David Hancock, Chris Wendt (Comcast)

2 CA intermediate certificate
Current "proxy" model for issuing TN-PoP Certs to Customer AF Procedures and performed each time a new TN-PoP cert issued 1 2 3 4 STI-CA CA root certificate CA intermediate certificate Acting as interworking function and firewall, ACME Proxy relays cert order to STI-CA. STI-CA issues TN-level end-entity cert to ACME Proxy 2 3 ACME Certificate path TN Provider ACME Proxy Customer AF orders TN-level cert from ACME-Proxy (ACME account pre-authorized with external account binding) 4 Customer AF downloads cert (or cert URL) from ACME Proxy 1 ACME TN-PoP certificate End-entity cert chains directly to STI-CA intermediate cert Customer AF

3 New TN-POP SHAKEN 2.0 Solution
Use Cross-Certification to delegate STI-CA authority, as specified in RFC 5280 Goal: Standard X.509 with backward compatibility for signature validation on STI-VS

4 RFC 5280 defines two classes of certs
CA certificates MUST contain a Basic Constraints object with cA boolean set to TRUE Certificate’s private key can be used to sign another certificate in cert path End-entity certificates MUST either omit the Basic Constraints object, or contain Basic Constraints with cA set to FALSE Certificate private key cannot be used to sign another certificate

5 RFC 5280 also defines three sub-classes of CA certs
Self-issued certificate CA cert where the issuer and subject are the same entity Self-signed certificate (aka root cert) CA self-issued certificate where signature can be verified using cert’s public key Cross-certificate CA cert where the subject and issuer are different entities

6 Using cross-certs to delegate CA authority
CA-1 can delegate its authority to another "delegate" CA-2 by issuing a cross-certificate to CA-2 The delegate CA-2 can then issue end-entity certs, chained to the cross-certificate For domain certs, CA-1 can include a Name Constraints object in the cross-certificate to limit the Subject name-space of the end-entity certs issued by the delegate CA-2

7 Domain CA delegation example
STI-CA Intermediate/Root Certificate Issuer: nationalCA1.com Subject: nationalCA1.com Basic Constraints: cA = true CA1 public key Signature National CA 1 CA intermediate/root cert Cross-certificate Issuer: nationalCA1.com Subject: delegateCA2.com Basic Constraints: cA = true Name Constraints: *.delegateCA2.com CA2 public key Signature Certificate path Delegate CA 2 cross-certificate (with constraints) Constraints End-entity certificate Issuer: delegateCA2.com Subject: subdomain.delegateCA2.com CA2 public key Signature Endpoint end-entity cert

8 Leveraging cross-certificates for SHAKEN Customer AF case
STI-CA delegates CA responsibilities to TN Provider STI-CA issues a cross-certificate to TN Provider TN Provider then uses the cross-certificate to issue STI end-entity certs to its multiple Customer AFs STI-CA includes constraints in the cross-certificate that limit the scope of end-entity certificates issued by the TN Provider (i.e., place limits on contents of TNAuthList (SPC and TNBlock))

9 CA intermediate/root cert
Issuing STI certs to Customer AF using Delegate CA model STI-CA STI-CA Root Certificate Issuer: STI-CA Subject: STI-CA STI-CA public key Signature CA intermediate/root cert 1 Issue cross-certificate with constraints (ACME) Certificate path TN Provider Cross-certificate Issuer: STI-CA Subject: TN Provider TNAuthList constraints TN Provider public key Signature Delegate CA cross-certificate (with constraints) 2 Issue STI end-entity certificates (ACME) Constraints STI end-entity Certificate Issuer: TN Provider Subject: CAF-3 TNAuthList SPC value Customer AF TNs Customer AF public key Signature Customer AF 1 Customer AF 2 Customer AF 3 STI cert 1 STI cert 2 STI cert 3

10 How are constraints established and enforced?
The STI-PA authorizes constraints per TN Provider; constraints conveyed to STI-CA in SPC Token STI-CA issues cross-certificate with constraints authorized by STI-PA to TN Provider TN Provider issues STI end-entity certificates to Customer AFs within scope of constraints Verification services verify that STI end-entity certificates honor constraints

11 CA intermediate/root cert
The complete Customer AF certificate management flow STI-PA STI-CA CA intermediate/root cert 1 Get SPC Token with constraints 2 Order cross-certify cert with constraints (via ACME) TN Provider Delegate CA 4 Store issued STI certificate cross-certificate with constraints STI-CR 3 Order STI certificate STI certificate 5 Download cert STI-CR URL Customer AF

Download ppt "Issuing delegate certs to Customer AF using Cross-Certification"

Similar presentations

PKI Strategy PKI Requirements Standard –Based on e-MARC or other Certificate Policy Statements –Specify key aspects that must be met by CA Cert format.

PKI Strategy PKI Requirements Standard –Based on e-MARC or other Certificate Policy Statements –Specify key aspects that must be met by CA Cert format.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Safe Script CA Digital Certificate Enrollment Guide With

Safe Script CA Digital Certificate Enrollment Guide With
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Certificates.

Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Certificates.
Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Access control for IP multicast T-110.557 Petri Jokela

Access control for IP multicast T Petri Jokela
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
DNS-centric PKI Sean Turner Russ Housley Tim Polk.

DNS-centric PKI Sean Turner Russ Housley Tim Polk.
14 May 2002© 2000-02 TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
Digital Signature Technologies & Applications Ed Jensen Fall 2013.

Digital Signature Technologies & Applications Ed Jensen Fall 2013.
Security Protocols in Automation Dwaine Clarke MIT Laboratory for Computer Science January 8, 2002 With help from: Matt Burnside, Todd.

Security Protocols in Automation Dwaine Clarke MIT Laboratory for Computer Science January 8, 2002 With help from: Matt Burnside, Todd.
Trust Anchor Management Problem Statement 69 th IETF Trust Anchor Management BOF Carl Wallace.

Trust Anchor Management Problem Statement 69 th IETF Trust Anchor Management BOF Carl Wallace.
Digital Certificates Made Easy Sam Lutgring Director of Informational Technology Services Calhoun Intermediate School District.

Digital Certificates Made Easy Sam Lutgring Director of Informational Technology Services Calhoun Intermediate School District.
Csci5233 Computer Security1 Bishop: Chapter 14 Representing Identity.

Csci5233 Computer Security1 Bishop: Chapter 14 Representing Identity.
Registration Processing for the Wireless Internet Ian Gordon Director, Market Development Entrust Technologies.

Registration Processing for the Wireless Internet Ian Gordon Director, Market Development Entrust Technologies.
Java Security Pingping Ma Nov 2 nd, 2006. Overview Platform Security Cryptography Authentication and Access Control Public Key Infrastructure (PKI)

Java Security Pingping Ma Nov 2 nd, Overview Platform Security Cryptography Authentication and Access Control Public Key Infrastructure (PKI)
Bridge Certification Architecture A Brief Demo by Tim Sigmon and Yuji Shinozaki June, 2000.

Bridge Certification Architecture A Brief Demo by Tim Sigmon and Yuji Shinozaki June, 2000.

Similar presentations

Ads by Google