Presentation is loading. Please wait.

Presentation is loading. Please wait.

Update on PKI Activities in the Spanish Academic Network PKI-COORD November 26, 2001. Amsterdam.

Published byDomenic Nelson Modified over 8 years ago

Similar presentations

Presentation on theme: "Update on PKI Activities in the Spanish Academic Network PKI-COORD November 26, 2001. Amsterdam."— Presentation transcript:

1 Update on PKI Activities in the Spanish Academic Network PKI-COORD November 26, 2001. Amsterdam

2 PKI-COORD 2001 - 2 Outline IRIS-PCA  New members and evolution  Policy update  Integration into EuroPKI PKCS#11 libraries  UmPKCS11 E-mail timestamp server  Development just started PAPI  Current status  PAPI v1.1  The pilot PAPI mesh The case for BCAs in Europe

3 PKI-COORD 2001 - 3 IRIS-PCA Four new candidate organizations  Expected to be fully integrated before the end of the year  Problems for already established PKIs Contacts with other Spanish initiatives in PKIs  Governmental: CERES  Private: ACE (has become VeriSign) Still looking for the PKI killer application

4 PKI-COORD 2001 - 4 IRIS-PCA: Policy update New version of the policy document  OID: 1.3.6.1.4.1.7547.2.2.1.1.3 http://www.rediris.es/cert/proyectos/ iris-pca/docs/politica.html An English translation is available http://www.rediris.es/cert/proyectos/ iris-pca/docs/politica-pca-ingles.rtf Submitted to EuroPKI for acceptance

5 PKI-COORD 2001 - 5 PKCS#11 Library Developed by the University of Murcia for their internal PKI project  Available for Unix/Linux and Windows  Thoroughly tested in an operational environment More than 15,000 users Acces control, clock-in, facility reservation,... Available under GPL  http://umpkcs11.sourceforge.net/ http://umpkcs11.sourceforge.net/ Source and RPM formats  Full documentation under development

6 PKI-COORD 2001 - 6 PAPI Current version available is 1.0.2  http://www.rediris.es/app/papi/dist.en.html http://www.rediris.es/app/papi/dist.en.html Point of Access based on Apache mod_perl  Configurable using Apache directives inside httpd.conf Authentication hooks for  Internal database  POP-3  LDAP Includes a set of enhanced documentation  FAQ FAQ  Guide for Beginners Guide for Beginners

7 PKI-COORD 2001 - 7 PAPI Version 1.1.0 is under test Problem: PoAs using the same policy must load different tokens to the user’s browser  Lack of scalability for large services Solution: PoAs with the same policy are grouped into a GPoA  Tokens are assigned hierarchically Better managenent of tokens  Registered by the PoA once all contents are received by the user’s browser Simplified installation and operation

8 PKI-COORD 2001 - 8 PAPI V1.1 implementation of GPoAs Browser Authentication Server Keys Hcook- Lcook GPoA GPoAPoA Hcook- Lcook PoA 302+ Hcook 302 + data

9 PKI-COORD 2001 - 9 The PAPI pilot mesh Using PAPI ASs and PoAs  Remote access to restricted services  Inter-institutional trust relationships A fairly complete cocktail  Three universities (one virtual)  Two commercial information providers  One library consortium  A public content provider More organizations to join in the near future  So we can erase the “pilot” PAPI is under test in other academic networks  We now about three of you

10 PKI-COORD 2001 - 10 Bridge CAs Integrate existing PKIs which may implement different architectures, security policies, and cryptographic suites  Address the shortcomings of the two basic PKI integration methods: mesh and hierarchical Are not root CAs  Connect trust domains through cross certificate pairs creating a “bridge of trust” Do not issue certificates directly to users Are not used as a trust point by the users of the PKIs involved  User keep their natural trust point Based on the PKIX standards

11 PKI-COORD 2001 - 11 Bridge CA Architecture Bridge Principal CA Bridge of trust

12 PKI-COORD 2001 - 12 The Federal Bridge CA Principal CAs cross-certificate with the FBCA membrane  The FBCA is built using several cross-certified commercial CAs  The membrane offers a common boundary for them Certification Policy mapping  OID@certificatePolicies extension Directory Services  All certificates issued by any node of the FBCA  All certificates issued to any node of the FBCA  All cross certificates pairs containing certificates held or issued by the FBCA  A CARL from each node of the FBCA covering certificates issued by that node Libraries for certificate path discovery and validation

13 PKI-COORD 2001 - 13 The experience at RedIRIS Problems in a bottom-up approach Theoretically, hierarchical PKIs are scalable...  Found problems when testing the integration of the RedIRIS PKI directly under another root CA < openssl 0.9.6  The first certificate whose subject name matched the issuer of the current certificate was assumed to be the issuer certificate >= openssl 0.9.6  All certificates whose subject name matches the issuer name of the current certiticate are subject to further tests  One of these tests (applied to the Authority Key Identifier) fails when a new CA is introduced at the top of the hierarchy Solution: cross-certification  Why not at a BCA?

14 PKI-COORD 2001 - 14 Bridge CAs Pros and cons More flexible and extensible than either mesh or hierarchical structures Support a bottom-up approach  Integration of already existing PKIs  Maintain policy independence Require certificate path discovery and validation software  There is a (public) library available Put stress on directory services  Other approaches possible Not much tested (scalability, performance,...)  More experiments are required

Download ppt "Update on PKI Activities in the Spanish Academic Network PKI-COORD November 26, 2001. Amsterdam."

Similar presentations

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
COEN 350 Public Key Infrastructure. PKI Task: Securely distribute public keys. Certificates. Repository for retrieving certificates. Method for revoking.

COEN 350 Public Key Infrastructure. PKI Task: Securely distribute public keys. Certificates. Repository for retrieving certificates. Method for revoking.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
21 mai 2015 Bridges between Certification Authorities.

21 mai 2015 Bridges between Certification Authorities.
MPKI Interoperability I-D ChangeLog from -01 to -02 Jan 16, 2004 Masaki SHIMAOKA SECOM Trust.net.

MPKI Interoperability I-D ChangeLog from -01 to -02 Jan 16, 2004 Masaki SHIMAOKA SECOM Trust.net.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
PKI Administration Using EJBCA and OpenCA

PKI Administration Using EJBCA and OpenCA
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
The U.S. Federal PKI and the Federal Bridge Certification Authority

The U.S. Federal PKI and the Federal Bridge Certification Authority
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
1 Memorandum for multi-domain PKI interoperability multidomain-pki-00.txt

1 Memorandum for multi-domain PKI interoperability multidomain-pki-00.txt
CNI Fall 1998 Access Management Requirements and Approaches Joan Gargano California Digital Library

CNI Fall 1998 Access Management Requirements and Approaches Joan Gargano California Digital Library
The EC PERMIS Project David Chadwick

The EC PERMIS Project David Chadwick
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

Similar presentations

Ads by Google