1. X.509 extension with security information draft-chen-pkix-securityinfo-00 IETF 79 chen.shuyi@zte.com.cn viviytliu@gmail.com

2. draft-chen-pkix-securityinfo-00.txt Security problems related to distributed network seldom take bad influence caused by underlay into consideration. Nodes with weak protection in underlay will greatly deteriorate security of the distributed network. We want to make overlay cognize the security posture for underlay in a scalable and practical way. - This X.509 certificate extension keeps underlay security information of the subject. - Based on this certificate, one entity or node can cognize another's security posture, then adjusts strategy to avoid attacks from malicious entities.

3. Assessment Elements SecurityData ::=SEQUENCE{ antivirus [0] AntivirusData ， firewall [1] FirewallData ， operatingSystem [2] OSData ， vulnerabilityDatabase [3] VDData, maliciousPlug-in [4] MPIData, otherSecData [5...MAX] ANY defined security data, OPTIONAL } BasicInfo ::= SEQUENCE { version IA5String, manufacturer IA5String, renewal BOOLEAN } AntivirusData ::= SEQUENCE { antivirusBase BasicInfo, otherAntivirusData ANY defined AntivirusData OPTIONAL }

4. FirewallData ::= SEQUENCE { firewallBase BasicInfo, supFTPFileFilter BOOLEAN, supAntivirus BOOLEAN, supConFilter BOOLEAN, defDOS BOOLEAN, rtInRes BOOLEAN, autoLogScan BOOLEAN, otherFirewallData ANY defined FirewallData OPTIONAL} Assessment Elements OSData ::= INTEGER (because OS data is private) VDData ::= BOOLEAN MPIData ::= SEQUENCE { malPlugIn ANY defined malicious Plug-In }

5. Comments PKIX WG Why not attribute certificate or short life health identity certificate -posture frequently changes/update mechanism implementation of PKI/PMI -subject directory attribute extension-update problem Verify - third trusted party - proxy certificate

6. NEA WG Assertion Attributes / Posture Attributes -endpoint posture :IETF standard subtypes -relationship with security information? Way to go Discussion