Presentation is loading. Please wait.

Presentation is loading. Please wait.

People’s Choice… When not just any CA will do

Published byHerbert Volker Heintze Modified over 5 years ago

Similar presentations

Presentation on theme: "People’s Choice… When not just any CA will do"— Presentation transcript:

1 People’s Choice… When not just any CA will do
Bruce A Rich OASIS KMIP F2F, Feb 2016

2 Why multiple CAs? Partitioning of intranet space into Dev, Test, Production areas Loose and flexible More tightly controlled Rigid controls, may even be further partitioned May somewhat mirror the internal org chart, reflecting partition of responsibilities and control

3 Can “Certify” a PKCS10 blob via KMIP, but…
If a server has multiple CA personalities, how can the client discover/suggest/hint? And PKCS10 is not user-friendly, is there a way to request/tweak certificate capabilities through KMIP?

4 Client choice The Certify API allows Attributes to be passed on the call KMIP already has X509 Certificate Issuer attribute Since that is supposed to be unique(ish), use that as a mechanism to refer to the desired issuer Or could define a more client-friendly (X509 Certificate Issuer Name- >String) attribute

5 Discovering the choices
No (protocol-defined) way to know what CAs the server might be able to contact/use on the client’s behalf Could add a Query extension for this, would return zero-n X509 Certificate Issuer (or X509 Certificate Issuer Name) attributes Having the server volunteer the information keeps the client from having to compose this stuff all by themselves…

6 PKCS#10 avoidance? Could define a couple of new attributes to specify whether the cert would be for a CA or not, the certificate usage type Already have a variant of AlternativeName that is X500 Distinguished Name Larger scope than just usage of X500 Certificate Issuer

7 Recommendation Augment Query with one more optional thing to ask the server Minimalist profile to show usage

8 Backup slides

9 Common certificate extensions
“Key Usage” Allowable usages for the public key in the certificate CERT_SIGN CRL_SIGN DATA_ENCIPHERMENT DIGITAL_SIGNATURE GOVT_APPROVED KEY_AGREEMENT KEY_ENCIPHERMENT NON_REPUDIATION These are covered via the Cryptographic Usage Mask on the public key (except GOVT_APPROVED, see KMIP Spec 3.19) Omission is interpreted as all of the above OID = { 2, 5, 29, 0F }

10 Common certificate extensions…
“Basic constraints” Tells whether the cert is for a CA or not (TRUE or FALSE) OID = { 2, 5, 29, 19 } Impacts all interpretation of extended key usages

11 Alternative Name Can provide most of the information needed by Certify
DNS Name IP Address X500 Distinguished Name Only need “Basic Constraints”, “CA=true” attribute “Extended Key Usage” bitset attribute

Download ppt "People’s Choice… When not just any CA will do"

Similar presentations

Www.thales-esecurity.com Common Identifiers Providing Globally Unique Identifiers for UUID and Application IDs of keys and other objects.

Common Identifiers Providing Globally Unique Identifiers for UUID and Application IDs of keys and other objects.
IONA Technologies Position Paper Constraints and Capabilities for Web Services

IONA Technologies Position Paper Constraints and Capabilities for Web Services
Network Localized Mobility Management using DHCP

Network Localized Mobility Management using DHCP
Overview of draft-ietf-sidr-roa-format-01.txt Matt Lepinski BBN Technologies.

Overview of draft-ietf-sidr-roa-format-01.txt Matt Lepinski BBN Technologies.
Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.

Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.
KMIP Vendor Extension Management KMIP supports ‘extensions’ but provides no mechanism for coordination of values between clients and servers or between.

KMIP Vendor Extension Management KMIP supports ‘extensions’ but provides no mechanism for coordination of values between clients and servers or between.
APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.

APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.
A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.

A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.
RTCWEB Signaling Matthew Kaufman. Scope Web Server Browser.

RTCWEB Signaling Matthew Kaufman. Scope Web Server Browser.
Assuring e-Trust always www.certiver.com 1 Status of the Validation and Authentication service for TACAR and Grids.

Assuring e-Trust always 1 Status of the Validation and Authentication service for TACAR and Grids.
Case Study ProsperaSoft’s global sourcing model gives the maximum benefit to customers in terms of cost savings, improved quality, access to highly talented.

Case Study ProsperaSoft’s global sourcing model gives the maximum benefit to customers in terms of cost savings, improved quality, access to highly talented.
KMIP Profiles version 1.3 A Method to Define Operations Access Control and Interaction Between a Client and Server Presented by: Kiran Kumar Thota & Bob.

KMIP Profiles version 1.3 A Method to Define Operations Access Control and Interaction Between a Client and Server Presented by: Kiran Kumar Thota & Bob.
July 16, 20031 Diameter EAP Application (draft-ietf-aaa-eap-02.txt) on behalf of...

July 16, Diameter EAP Application (draft-ietf-aaa-eap-02.txt) on behalf of...
KISTI Grid CA Status Report Korea Institute of Science and Technology Information Sangwan Kim Jae-Hyuck Kwan

KISTI Grid CA Status Report Korea Institute of Science and Technology Information Sangwan Kim Jae-Hyuck Kwan
HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.
IST-2006-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America ULAGrid Certification Authority Vanessa Hamar Universidad de Los.

IST E-infrastructure shared between Europe and Latin America ULAGrid Certification Authority Vanessa Hamar Universidad de Los.
Clarifications to KMIP v1.1 for Asymmetric Crypto and Certificates J. Furlong 29 September 2010.

Clarifications to KMIP v1.1 for Asymmetric Crypto and Certificates J. Furlong 29 September 2010.
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Five Managing Addresses.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Five Managing Addresses.
EPICS Channel Access Version Four Motivating FactorsMotivating Factors Solicitations from the audienceSolicitations from the audience.

EPICS Channel Access Version Four Motivating FactorsMotivating Factors Solicitations from the audienceSolicitations from the audience.
ICOM 4035 – Data Structures Dr. Manuel Rodríguez Martínez Electrical and Computer Engineering Department Lecture 10 – September 20, 2001.

ICOM 4035 – Data Structures Dr. Manuel Rodríguez Martínez Electrical and Computer Engineering Department Lecture 10 – September 20, 2001.

Similar presentations

Ads by Google