Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Brief Overview of draft-ietf-sidr-cp-01.txt draft-ietf-sidr-cps-rirs-01.txt draft-ietf-sidr-cps-isp-00.txt Steve Kent BBN Technologies.

Published byRoderick Hart Modified over 8 years ago

Similar presentations

Presentation on theme: "A Brief Overview of draft-ietf-sidr-cp-01.txt draft-ietf-sidr-cps-rirs-01.txt draft-ietf-sidr-cps-isp-00.txt Steve Kent BBN Technologies."— Presentation transcript:

1 A Brief Overview of draft-ietf-sidr-cp-01.txt draft-ietf-sidr-cps-rirs-01.txt draft-ietf-sidr-cps-isp-00.txt Steve Kent BBN Technologies

2 CP & CPS RFCs  RFC 3647 (Informational) provides an outline and explanatory text for defining A certificate policy (CP) A certification practice statement (CPS)  This RFC is very widely cited Essentially every large scale PKI publishes a CPS and uses the outline from 3647 as its model When a certificate issuer publishes a certificate policy (CP), it usually follows the format defined in this RFC  There is one outline in 3647; it nominally applies to both CP and CPS documents

3 What is a CP?  X.509 defines a certificate policy as "a named set of rules that indicates the applicability of certificate to a particular community and/or class of applications with common security requirements"  A CP provides guidance to relying parties, to help them know whether a certificate is appropriate for use in conjunction with a specific application  A CP provides liability protection for a CA, by declaring the intended range of uses for the certificates issued by the CA

4 Does SIDR Need to Define a CP?  The certificates being defined for the resource PKI are targeted to a specific application context (not generic), so it seems especially important to define a CP consistent with the anticipated range of uses for these certificates  This is within the charter of SIDR ”Document the use of certification objects within this secure routing architecture”  A CP is “named” by an object identifier (OID) and we have an OID for this policy: id-cp-ipAddr-asNumber OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) cp(14) 2 }

5 Resource Certificate PKI CP  RFC 3647 assumes that a PKI will not use ALL of the outline elements in the RFC  The CP Internet Draft is a profiled subset of 3647, reflecting the authors’ perception of what is relevant to the resource certificate PKI  The result is a document about 47 pages, as opposed to RFC 3647, which is a bit under 100 pages! The document maintains section level numbering consistent with 3647, to make it easy to compare with other CPs

6 What Does a CP Describe?  The purpose of the PKI  PKI participants (CAs, Subscribers, RPs)  How certificates and CRLs are published (repository model)  Allowed and prohibited uses for certificates in the PKI  Name forms allowed in certificates  Procedures for certificate issuance, acceptance, revocation, re-key, and modification  Etc.

7 An Excerpt from the CP I-D 1.3.4. Relying parties Entities that need to validate claims of address space and/or AS number current holdings are relying parties. Thus, for example, entities that make use of address and AS number allocation certificates in support of improved routing security are relying parties. This includes ISPs, multi-homed organizations exchanging BGP traffic with ISPs, and subscribers who have received a “portable” allocation of address space from a registry.

8 What is a CPS?  A CPS is defined by RFC 3647 as “a more detailed description of the practices followed by a CA in issuing and otherwise managing certificates […] published by or referenced by the CA”  A CPS is CA-specific document, whereas a CP may be common across many CAs in the same PKI  A CPS also documents the means by which subjects and relying parties interact with a CA For certificate issuance, renewal & revocation For acquiring CRLs

9 Do We Need a CPS for this PKI?  Yes!  We need a standard way to document the means by which subjects and relying parties interact with the CA for Certificate requests Certificate revocation requests Certificate distribution CRL distribution

10 Resource Certificate CPS Template  Unlike the CP, each CPS is a per-CA document, so this I-D has lots of “fill in the blank” text areas; each CA must customize its version of the CPS  This document is 47 pages, but when a CA fills in the text that it must to complete the document, it will be much bigger  As with the CP, the document maintains section level numbering consistency with 3647, to make it easy to compare with other CPSs  One template is intended for RIRs & NIRs, the other is for ISPs

11 A CPS Outline Snippet 6.0 Technical Security Controls Key pair generation and installation Private Key Protection and Cryptographic Module Engineering Controls Other aspects of key pair management Activation data Computer security controls Life cycle technical controls Network security controls

12 Summary  These three I-Ds are on track to become Informational RFCs from the SIDR WG  Comments, especially from registries and ISPs, are needed to ensure that these documents are appropriate!

Download ppt "A Brief Overview of draft-ietf-sidr-cp-01.txt draft-ietf-sidr-cps-rirs-01.txt draft-ietf-sidr-cps-isp-00.txt Steve Kent BBN Technologies."

Similar presentations

RPKI Standards Activity Geoff Huston APNIC February 2010.

RPKI Standards Activity Geoff Huston APNIC February 2010.
Experimental Internet Resource Allocations Philip Smith, Geoff Huston September 2002.

Experimental Internet Resource Allocations Philip Smith, Geoff Huston September 2002.
1 APNIC Resource Certification Service Project Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam George Michaelson.

1 APNIC Resource Certification Service Project Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam George Michaelson.
PKI Strategy PKI Requirements Standard –Based on e-MARC or other Certificate Policy Statements –Specify key aspects that must be met by CA Cert format.

PKI Strategy PKI Requirements Standard –Based on e-MARC or other Certificate Policy Statements –Specify key aspects that must be met by CA Cert format.
Local TA Management A TA is a public key and associated data used as the starting point for certificate path validation It need not be a self-signed certificate.

Local TA Management A TA is a public key and associated data used as the starting point for certificate path validation It need not be a self-signed certificate.
RPKI Certificate Policy Status Update Stephen Kent.

RPKI Certificate Policy Status Update Stephen Kent.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.
Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.

Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.
Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.

Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.
RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.

RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.
RPKI and Routing Security ICANN 44 June 2012. Today’s Routing Environment is Insecure Routing is built on mutual trust models Routing auditing requires.

RPKI and Routing Security ICANN 44 June Today’s Routing Environment is Insecure Routing is built on mutual trust models Routing auditing requires.
Overview of draft-ietf-sidr-roa-format-01.txt Matt Lepinski BBN Technologies.

Overview of draft-ietf-sidr-roa-format-01.txt Matt Lepinski BBN Technologies.
Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Review of draft-ietf-sidr-arch-01.txt Steve Kent BBN Technologies.

Review of draft-ietf-sidr-arch-01.txt Steve Kent BBN Technologies.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Jaroslav Pinkava May 2001 Certification Authority in Praxis. Security Aspects. Conference Security and Protection of Information Ing. Jaroslav Pinkava,

Jaroslav Pinkava May 2001 Certification Authority in Praxis. Security Aspects. Conference Security and Protection of Information Ing. Jaroslav Pinkava,
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Similar presentations

Ads by Google