Presentation is loading. Please wait.

Presentation is loading. Please wait.

Some Technical Issues in PKI Deployment David Chadwick

Published byGwendoline Sims Modified over 8 years ago

Similar presentations

Presentation on theme: "Some Technical Issues in PKI Deployment David Chadwick"— Presentation transcript:

1 Some Technical Issues in PKI Deployment David Chadwick d.w.chadwick@salford.ac.uk

2 Certificate Extensions X.509v3 certificates hold a set of extensions Each extension is uniquely identified by a globally unique number (object identirfier) Every organisation possesses its own OID, so can define their own extensions –Netscape extensions, Microsoft extensions, Entrust extensions, Baltimore extensions, Your very own extensions Therefore certificates are infinitely extensible, which can cause interoperability problems

3

4 Certificate Profiles These try to limit the extensions that are allowed in certificates –e.g. PKIX profile specified in RFC2459 But the profiles themselves offer many options e.g. –one key pair, two key pair or three key pair –one policy or more –any algorithm, e.g. DSA, RSA or elliptic curve

5 Key Lifecycles Key Generation –by the CA or the user? Initial Certification –What protocol? CMP or CMS(PKCS#7) Storage of Private Keys –Where? hardware or software. Software is a problem in a university environment –Portability between applications –Portability of hardware devices e.g. smart cards Revocation of Public Key Certificates –How, and by whom. Automatic, manual, authentication etc.

6 Key Lifecycles (cont) Publication of Certificates and CRLs –Using LDAP, FTP or the Web? –Retrieval issues - how to select the right certificate Key Update/Roll over –User keys, manual or automatic –Root CA keys, and migration of users Key Backup –Do we want it or not? For decryption probably yes, for signing definitely NO Key Archive –For non-repudiation purposes

7 Problems with Use of LDAP Cannot search for particular certificates or CRLs –Create separate attributes and Search for them –Retrieve the certificates from the same entry and hope they are the ones you want Cannot retrieve particular certificates or CRLs –Create separate attribute types e.g. encCertificate, userCertificate –Create separate entries e.g. CN=David Chadwick (Enc) –Create separate subtrees e.g.OU=Encryption –Create child entries holding different certificates LDAP is poor at supporting distributed directories –Causes problems for multiple CA interworking

8 Certification Infrastructures - Which Type? Hierarchy, with a root of trust e.g. Identrus, EuroPKI Cross certification between peer CAs or hierarchies - technical and legal issues Bridge CA - that is a central point for cross certification, sets policy, is a bridge of trust

Download ppt "Some Technical Issues in PKI Deployment David Chadwick"

Similar presentations

Public Key Infrastructure and Applications

Public Key Infrastructure and Applications
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
CS5204 – Operating Systems 1 Authentication. CS 5204 – Operating Systems2 Authentication Digital signature validation proves:  message was not altered.

CS5204 – Operating Systems 1 Authentication. CS 5204 – Operating Systems2 Authentication Digital signature validation proves:  message was not altered.
 1997 Entrust Technologies Orchestrating Enterprise Security Entrust Public Key Infrastructure Erik Schetina Chief Technology Officer IFsec, LLC

 1997 Entrust Technologies Orchestrating Enterprise Security Entrust Public Key Infrastructure Erik Schetina Chief Technology Officer IFsec, LLC
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Report on Attribute Certificates By Ganesh Godavari.

Report on Attribute Certificates By Ganesh Godavari.
HEPKI-TAG Activities January 2002 CSG Meeting Jim Jokl

HEPKI-TAG Activities January 2002 CSG Meeting Jim Jokl
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
Public Key Infrastructure (X509 PKI)

Public Key Infrastructure (X509 PKI)
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Sentry: A Scalable Solution Margie Cashwell Senior Sales Engineer Sept 2000 Margie Cashwell Senior Sales Engineer

Sentry: A Scalable Solution Margie Cashwell Senior Sales Engineer Sept 2000 Margie Cashwell Senior Sales Engineer
SMUCSE 5349/7349 Public-Key Infrastructure (PKI).

SMUCSE 5349/7349 Public-Key Infrastructure (PKI).
An In-Depth Examination of PKI Strengths, Weaknesses and Recommendations.

An In-Depth Examination of PKI Strengths, Weaknesses and Recommendations.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.

An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.

Similar presentations

Ads by Google