Presentation is loading. Please wait.

Presentation is loading. Please wait.

MPKI Interoperability I-D ChangeLog from -00 to -01 Oct 27, 2003 Masaki SHIMAOKA SECOM Trust.net.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "MPKI Interoperability I-D ChangeLog from -00 to -01 Oct 27, 2003 Masaki SHIMAOKA SECOM Trust.net."— Presentation transcript:

1 mPKI Interoperability I-D ChangeLog from -00 to -01 Oct 27, 2003 Masaki SHIMAOKA SECOM Trust.net

2 2 Abstracts of this I-D This memo is used to share the awareness necessary to deployment of multi-domain PKI. Scope of this memo is to establish trust relationship and interoperability between plural PKI domains. Both single-domain PKI and multi-domain PKI are established by the trust relationships between CAs. Typical and primitive PKI models are specified as single-domain PKI. Multi-domain PKI established by plural single-domain PKI is categorized as multi-trust point model and single-trust point model. Multi-trust point model is based on trust list model, and single- trust point model is based on cross-certification.

3 3 I-D contents 1 Introduction 2 Requirements and Assumptions 3 Trust Relationship 4 PKI Domain (new) 5 Single-domain PKI 6 multi-domain PKI 7 Security Considerations 8 References 9 Acknowledgements 10 Author's Address 11 Full Copyright Statement

4 4 CHANGES Add the figures Structure of multi-domain PKI Each PKI model Terminology and Assumptions Modify some terminology Assumptions for Repository Define PKI Domain Add new section Modify a definition of some PKI model Cross-Certification model Subordination model Hub model Consider for trusted third CA Trusted Third CA in Hub model and Super domain model Security Considerations Certificate and CRL Profile Asymmetric problem

5 5 1. Structure of multi-domain PKI +------------------+ +-------------------+ | PKI domain | | | Domain-Domain | | | | Trust | | | +-----+ | Relationship | +-----+ | | | PCA | | PCA | | | +-----+ | | ^ | | | CA-CA Trust | | | Relationship | | v | | +----+ | | | CA | | | +----+ | +------------------+ +-------------------+

6 6 2. Requirements & Assumptions Modified Terminology See actual I-D. Assumptions for Repository Repository is necessary to support a certification path This I-D does not specify whether HTTP or LDAP.

7 7 3 Trust relationship 3.2 Cross-Certification Change the self-signed cert requirement of the CA issuing the cross-cert from SHOULD to MUST Add how to store the cross-certificate in the directory server 3.3 Subordination Add the considerations for that the sub CA issues a self-signed cert

8 8 4 PKI domain 4.1 Requirements for PKI domain Set of PKIs shared more than one common policy No need policyId of the common policy 4.2 Risk Analysis of PKI domain problem depending on lack of policyId 4.3 Requirements for multi-domain PKI More requirements for multi-domain PKI

9 9 6 multi-domain PKI 6.2.3 Hub model Add requirements in the detail Especially Bridge CA requirements 6.2.4 Considerations for trusted third CA Trusted Third CA Bridge CA in Hub model Top CA in Super domain model Considerations for trusted third CA in multi- domain PKI

10 10 7 Security Considerations Certificate and CRL profile critical-flag of extensions for local PKI domain Asymmetric problem Hybrid trust model X to Y: cross-certification model Y to X: trust list model Asymmetric policy mapping X to Y: X.1:=Y.1 Y to X: Y.1 := X.2 CA-XCA-Y CrossCert Trust List CA-XCA-Y X.1 := Y.1 Y.1 := X.2 CA-A CA-B A.1 := X.1 X.2 := B.1 SHALL CA-A trust CA-B?

11 11 Working Items To sort an intentional model and a non-intentional model Authority Trust List model and Mesh model MAY be non- intentional model. To consider Trust list model again Most actual Trust list model does not use policyId. To select appropriate term trusty PKI domain and trusted PKI domain trusted third CA Top CA in Super Domain model To Maintain the remaining TBD items MUST collect more comments and review! All items will be fixed in -02.

12 12 Future Plan ’ 03 Nov 58 th IETF To Discuss with AD and WG chairs the necessity to publish this BCP. Call Reviewer ’ 03 Dec will release -02 ’ 04 Jan Review by Reviewer ’ 04 Feb will release -03 reflected review ’ 04 Mar 59 th IETF Poll on PKIX ML ’ 04 Apr will release -04 reflected review in PKIX ML To Recommend standardization this I-D to IESG with AD and WG chairs. ’ 04 Aug 60 th IETF To hope status is Last Call until 60th IETF!

13 13 Related Resources Challenge PKI homepage Multi-domain PKI interoperability Framework http://www.jnsa.org/mpki/ Newest this I-D is available here linked. This site is also repository of this I-D for minor update.

Download ppt "MPKI Interoperability I-D ChangeLog from -00 to -01 Oct 27, 2003 Masaki SHIMAOKA SECOM Trust.net."

Similar presentations

PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.

PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.
Status of Extensible SCCS-SM Concept Green Book 12 February 2013 1.

Status of Extensible SCCS-SM Concept Green Book 12 February
Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.

Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.
Copyright Judith Spencer 2002. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

Copyright Judith Spencer This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
MPKI Interoperability I-D ChangeLog from -01 to -02 Jan 16, 2004 Masaki SHIMAOKA SECOM Trust.net.

MPKI Interoperability I-D ChangeLog from -01 to -02 Jan 16, 2004 Masaki SHIMAOKA SECOM Trust.net.
Uncle Sam, Meet The PKI! Richard Guida Chair, Federal PKI Steering Committee Michèle Rubenstein Department of the Treasury,

Uncle Sam, Meet The PKI! Richard Guida Chair, Federal PKI Steering Committee Michèle Rubenstein Department of the Treasury,
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
1 Memorandum for multi-domain PKI interoperability multidomain-pki-00.txt

1 Memorandum for multi-domain PKI interoperability multidomain-pki-00.txt
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.
Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.

Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.
Certificate Path Building draft-ietf-pkix-certpathbuild-01.txt Peter Hesse Matt Cooper Yuriy Dzambasow Susan Joseph Richard Nicholas.

Certificate Path Building draft-ietf-pkix-certpathbuild-01.txt Peter Hesse Matt Cooper Yuriy Dzambasow Susan Joseph Richard Nicholas.
9/20/2000www.cren.net1 Root Key Cutting and Ceremony at MIT 11/17/99.

9/20/2000www.cren.net1 Root Key Cutting and Ceremony at MIT 11/17/99.
Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
Java Security Pingping Ma Nov 2 nd, 2006. Overview Platform Security Cryptography Authentication and Access Control Public Key Infrastructure (PKI)

Java Security Pingping Ma Nov 2 nd, Overview Platform Security Cryptography Authentication and Access Control Public Key Infrastructure (PKI)
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.
Bridge Certification Architecture A Brief Demo by Tim Sigmon and Yuji Shinozaki June, 2000.

Bridge Certification Architecture A Brief Demo by Tim Sigmon and Yuji Shinozaki June, 2000.

Similar presentations

Ads by Google