Download presentation
Presentation is loading. Please wait.
Published byStephany Burns Modified over 9 years ago
1
Path Construction “It’s Easy!” Mark Davis
2
Current WP Scope u Applications that make use of public key certificates have to validate certificate paths. u Before validating a certificate path, it is first necessary to construct that path. u This means finding a set of certificates that appears to chain up to a trust point. u This white paper describes issues that implementers of PKI technology have to face when developing certificate path construction code, for example, considering issues with different sources of certificates (LDAP, databases etc) and how to avoid "loops".
3
So What is the Problem? u Does not seem to work in the real world u Brought up as area of interest at first PKI Forum u Standards seem to address the problem u Objectives: –Identify parts of the task –Describe the problem –How can PKI Forum make progress?
4
Path Construction u Want to validate a certificate u You have some trusted roots u Each certificate has “issuer name” –May have other information u Path validation described in standards –Start with root –Check each cert (cert, policy, revocation status) –When check of cert of interest complete, then work is done
5
No Problem. Well … u Finding the certificates –Mostly an LDAP problem u Finding a path –Graph theory problem u Checking a path –Good news! Recognizable correct answer –Whose rules Certificate may or may not contain standard profile Roots may be from different profiles
6
#1 Finding Missing Certificate u Can’t identify certificate –DN non proper –Cert storage not related to Issuer DN –LDAP u “Path Policy” may not use X.509 certificates –PKCS #7 u Interdomain directory authorization problems
7
#2 Finding the path u Assuming you can find the certificates u In real life, number of certificates well bounded u Graph traversal algorithms well understood –I admit that building routing algorithms is hard. But somebody else already did it. –We do not introduce new problems u Each Cert Issuer -> Issue Cert link must be handled by SW u Partial Path’s –SW must parse partial path and maintain like as above
8
Other Problems u…u…
9
What does the paper need to say – Mark’s Version u LDAP is hard (see LDAP WP) u Sometimes you don’t use LDAP to get Certificates (see …) u Graph Traversal is hard (see Knuth) u Path construction is easy!
10
What does the paper need to say – WG Consensus Version u List the problems with LDAP u Recommend protocols and business logic solve as much as problem as possible u Error Handling needs guidance u CA-CA paper must give guidance to bound path construction u Path construction may be a resource intensive –server may be better than on small device u Environmental impacts described
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.