Presentation is loading. Please wait.

Presentation is loading. Please wait.

PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.

Published byKimberly Hubbard Modified over 9 years ago

Similar presentations

Presentation on theme: "PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of."— Presentation transcript:

1

2 PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado at Boulder

3 PKI Pieces  X.509 v3 certs  Certificate Revocation Lists  Cert management  Directories  Trust models  Cert-enabled apps  Who’s doing what and what’s next

4 X.509 certs  purpose - bind a public key to a subject  standard fields  extended fields  profiles  client and server cert distinctions

5 Standard fields in certs  cert serial number  the subject, as x.500 DN or …  the subject’s public key  the validity field  the issuer, as id and common name  signing algorithm  signature info for the cert, in the issuers public key

6 Extension fields  Examples - auth/subject subcodes, key usage, LDAP URL, CRL distribution points, etc  Key usage is very important - for digsig, non-rep, key or data encipherment, etc.  Certain extensions can be marked critical - if an app can’t understand it, then don’t use the cert  Requires profiles to document, and great care...

7 Certificate Revocation Lists (CRL)  Purpose - to post revoked certs by serial number  Reasons for revocation include major (disaffiliation, key compromise, etc.) and minor (name change, attribute change)  Path construction - to build the chain of trust from the issuer CA to a CA trusted by the relying party  Certificate validation - uses path to determine if cert is valid  Application and user responses - what to do if revoked? What to do if unknown? Does the app or the user decide?

8 Cert Management  Certificate Management Protocol - for the creation and management of certs  OSCP - on-line CRL plus….  Storage - where (device, directory, private cache, etc.) and how - format  escrow and archive - when, how, and what else needs to be kept  Cert Authority Software  Authority and policies

9 CA Software  SUN/Netscape  IBM  W2K Server  SSLEAY (Open SSL and Open CA) (http://www.openca.org/docs/mission.shtml) (www.openssl.org)http://www.openca.org/docs/mission.shtml  vandyke and Cygnacom in the public domain for path math

10 Directories  to store certs  to store CRL  to store private keys, for the time being  to store attributes  implement with border directories, or acls within the enterprise directory, or proprietary directories

11 Trust model components  Certificate Policy Statements - uses of particular certs, assurance levels for I/A, audit and archival requirements  Certificate Practices - the nitty gritty operational issues  Hierarchies vs Bridges a philosopy and an implementation issue the concerns are transitivity and delegation hierarchies assert a common trust model bridges pairwise agree on trust models and policy mappings

12 Cert-enabled applications  Browsers  S/MIME email  IPsec and VPN  Globus

13 PKI Activities  DLF: UCOP, Columbia, soon Minnesota  FPKI (http://csrc.nist.gov/pki/twg/welcome.html)  PKI for NGI  CREN CA  In-sources - MIT  Out-sources - Pittsburgh, Texas  PKIforum  W2K

14 PKI Gaps  Trust models  Certificate server software  Local authority  Directories  Ineroperability  Profile Repository  Policies and Policy Mappings

15 Will it fly?  Well, it has to…  Scalability  Performance  OBE  “With enough thrust, anything can fly”

Download ppt "PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of."

Similar presentations

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado.

PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado.
Cryptography and Network Security Chapter 14

Cryptography and Network Security Chapter 14
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CS5204 – Operating Systems 1 Authentication. CS 5204 – Operating Systems2 Authentication Digital signature validation proves:  message was not altered.

CS5204 – Operating Systems 1 Authentication. CS 5204 – Operating Systems2 Authentication Digital signature validation proves:  message was not altered.
Extended Validation Models in PKI Alternatives and Implications Marc Branchaud John Linn

Extended Validation Models in PKI Alternatives and Implications Marc Branchaud John Linn
Certificates Last Updated: Aug 29, 2013. A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.

Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.
Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.
COEN 350 Public Key Infrastructure. PKI Task: Securely distribute public keys. Certificates. Repository for retrieving certificates. Method for revoking.

COEN 350 Public Key Infrastructure. PKI Task: Securely distribute public keys. Certificates. Repository for retrieving certificates. Method for revoking.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
1 eID validations services Houcine Bel Mamoune Unit manager eID Technical Drill down Session 7 April 2005.

1 eID validations services Houcine Bel Mamoune Unit manager eID Technical Drill down Session 7 April 2005.
Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.

Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.
1 ISA 562 Information Systems Theory and Practice 10. Digital Certificates.

1 ISA 562 Information Systems Theory and Practice 10. Digital Certificates.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
 A public-key infrastructure ( PKI ) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store,

 A public-key infrastructure ( PKI ) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store,
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Similar presentations

Ads by Google