Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Profile for Trust Anchor Material for the Resource Certificate PKI Geoff Huston SIDR WG IETF 74.

Published byHunter Grady Modified over 10 years ago

Similar presentations

Presentation on theme: "A Profile for Trust Anchor Material for the Resource Certificate PKI Geoff Huston SIDR WG IETF 74."— Presentation transcript:

1 A Profile for Trust Anchor Material for the Resource Certificate PKI Geoff Huston SIDR WG IETF 74

2 Background This has been the topic of WG discussion – who should be putative TA for the RPKI – how should TA material be published Focus the discussion by creating a document to address Trust Anchors for the RPKI – Removed section 6.3 from Res Cert profile draft – Created a new draft with this material – draft-ietf-sidr-ta-00.txt

3 Who? Draft is silent on prescribing roles for bodies: This document does not nominate any organizations as default trust anchors for the RPKI. Reasons for this position: – This task falls outside of IETF WG direction relating to conventional protocol parameter registry functions – The standard technology specification should encompass use in a broad spectrum of contexts including various forms of private use as well as public However, the document does observe that: for most RPs, the IANA is in a unique role as the default TA for representing public address space and public AS numbers.

4 How? No change from previous TA specification in draft-ietf-sidr-res-certs – (aside from some terminology clarifications) Two-Tier Model of Trust Anchor – Allows for variation in resources held at the root while keeping the trust anchor material constant – Can be used in a variety of contexts, both public and private – Aligns with the TA work in PKIX WG (draft-ietf- pkix-ta-format-01)

5 ETA TA Certificate Issuer: ETA Subject: ETA CA: True (no 3779 ext) ETA TA Certificate Issuer: ETA Subject: ETA CA: True (no 3779 ext) Signed: ETA 1. External Trust Anchor Certificate - ETA

6 ETA TA Certificate Issuer: ETA Subject: ETA CA: True (no 3779 ext) ETA TA Certificate Issuer: ETA Subject: ETA CA: True (no 3779 ext) Signed: ETA CRL of ETA Issuer: ETA CRL of ETA Issuer: ETA Signed: ETA 2. Certificate Revocation List for ETA

7 ETA TA Certificate Issuer: ETA Subject: ETA CA: True (no 3779 ext) ETA TA Certificate Issuer: ETA Subject: ETA CA: True (no 3779 ext) Signed: ETA ETA EE Certificate Issuer: ETA Subject: ETA EE CA: False (no 3779 ext) ETA EE Certificate Issuer: ETA Subject: ETA EE CA: False (no 3779 ext) Signed: ETA CRL of ETA Issuer: ETA CRL of ETA Issuer: ETA Signed: ETA 3. ETA EE Certificate (for CMS Object Verification)

8 ETA TA Certificate Issuer: ETA Subject: ETA CA: True (no 3779 ext) ETA TA Certificate Issuer: ETA Subject: ETA CA: True (no 3779 ext) Signed: ETA ETA EE Certificate Issuer: ETA Subject: ETA EE CA: False (no 3779 ext) ETA EE Certificate Issuer: ETA Subject: ETA EE CA: False (no 3779 ext) Signed: ETA CRL of ETA Issuer: ETA CRL of ETA Issuer: ETA Signed: ETA RPKI TA Certificate Issuer: RPKI TA Subject: RPKI TA CA: True 3779 Exts RPKI TA Certificate Issuer: RPKI TA Subject: RPKI TA CA: True 3779 Exts Signed: RPKI TA 4. RPKI TA Certificate

9 CMS Payload CMS Header ETA TA Certificate Issuer: ETA Subject: ETA CA: True (no 3779 ext) ETA TA Certificate Issuer: ETA Subject: ETA CA: True (no 3779 ext) Signed: ETA ETA EE Certificate Issuer: ETA Subject: ETA EE CA: False (no 3779 ext) ETA EE Certificate Issuer: ETA Subject: ETA EE CA: False (no 3779 ext) Signed: ETA CRL of ETA Issuer: ETA CRL of ETA Issuer: ETA Signed: ETA RPKI TA Certificate Issuer: RPKI TA Subject: RPKI TA CA: True 3779 Exts RPKI TA Certificate Issuer: RPKI TA Subject: RPKI TA CA: True 3779 Exts Signed: RPKI TA CMS Signed Object Signed: ETA EE 5. CMS packaging of the RPKI TA Certificate

10 CMS Payload CMS Header ETA TA Certificate Issuer: ETA Subject: ETA CA: True (no 3779 ext) ETA TA Certificate Issuer: ETA Subject: ETA CA: True (no 3779 ext) Signed: ETA ETA EE Certificate Issuer: ETA Subject: ETA EE CA: False (no 3779 ext) ETA EE Certificate Issuer: ETA Subject: ETA EE CA: False (no 3779 ext) Signed: ETA CRL of ETA Issuer: ETA CRL of ETA Issuer: ETA Signed: ETA RPKI TA Certificate Issuer: RPKI TA Subject: RPKI TA CA: True 3779 Exts RPKI TA Certificate Issuer: RPKI TA Subject: RPKI TA CA: True 3779 Exts Signed: RPKI TA CMS Signed Object Signed: ETA EE

Download ppt "A Profile for Trust Anchor Material for the Resource Certificate PKI Geoff Huston SIDR WG IETF 74."

Similar presentations

RPKI Standards Activity Geoff Huston APNIC February 2010.

RPKI Standards Activity Geoff Huston APNIC February 2010.
Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 70.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 70.
PKI Strategy PKI Requirements Standard –Based on e-MARC or other Certificate Policy Statements –Specify key aspects that must be met by CA Cert format.

PKI Strategy PKI Requirements Standard –Based on e-MARC or other Certificate Policy Statements –Specify key aspects that must be met by CA Cert format.
Local TA Management A TA is a public key and associated data used as the starting point for certificate path validation It need not be a self-signed certificate.

Local TA Management A TA is a public key and associated data used as the starting point for certificate path validation It need not be a self-signed certificate.
RPKI Certificate Policy Status Update Stephen Kent.

RPKI Certificate Policy Status Update Stephen Kent.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC Open Policy Meeting SIG: Whois Database October 2000 APNIC Certificate Authority.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC Open Policy Meeting SIG: Whois Database October 2000 APNIC Certificate Authority.
CS5204 – Operating Systems 1 Authentication. CS 5204 – Operating Systems2 Authentication Digital signature validation proves:  message was not altered.

CS5204 – Operating Systems 1 Authentication. CS 5204 – Operating Systems2 Authentication Digital signature validation proves:  message was not altered.
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.

RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.
RPKI and Routing Security ICANN 44 June 2012. Today’s Routing Environment is Insecure Routing is built on mutual trust models Routing auditing requires.

RPKI and Routing Security ICANN 44 June Today’s Routing Environment is Insecure Routing is built on mutual trust models Routing auditing requires.
An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.

An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.
Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.
Validation Algorithms for a Secure Internet Routing PKI David Montana Mark Reynolds BBN Technologies.

Validation Algorithms for a Secure Internet Routing PKI David Montana Mark Reynolds BBN Technologies.
RPKI Validation - Revisited draft-huston-rpki-validation-00.txt Geoff Huston George Michaelson APNIC.

RPKI Validation - Revisited draft-huston-rpki-validation-00.txt Geoff Huston George Michaelson APNIC.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Review of draft-ietf-sidr-arch-01.txt Steve Kent BBN Technologies.

Review of draft-ietf-sidr-arch-01.txt Steve Kent BBN Technologies.
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.

APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.

Similar presentations

Ads by Google