Presentation is loading. Please wait.

Presentation is loading. Please wait.

Higher Education Bridge Certification Authority Scaleable Linking of PKI trust domains Scaleable Linking of PKI trust domains David L. Wasley Fall 2006.

Published byRoland Newman Modified over 8 years ago

Similar presentations

Presentation on theme: "Higher Education Bridge Certification Authority Scaleable Linking of PKI trust domains Scaleable Linking of PKI trust domains David L. Wasley Fall 2006."— Presentation transcript:

1 Higher Education Bridge Certification Authority Scaleable Linking of PKI trust domains Scaleable Linking of PKI trust domains David L. Wasley Fall 2006 PKI Workshop

2 2 Topic Span  What’s a bridge?  How is it different than “normal” PKI?  Why is it useful?  What is the HEBCA?  What’s a bridge?  How is it different than “normal” PKI?  Why is it useful?  What is the HEBCA?

3 3 Bridged v.s. Hierarchical PKI  Hierarchical PKI assumes uniform policy and works with most products today  Hierarchies are “PKI islands”  Therefore browsers include 100+ “trust anchors”  Bridging allows mapping between different PKI policies but very few products support this (yet)  Mapping info is used during path validation  Bridging can link “islands” and provide superior trust management  Therefore we believe it will become important …  Hierarchical PKI assumes uniform policy and works with most products today  Hierarchies are “PKI islands”  Therefore browsers include 100+ “trust anchors”  Bridging allows mapping between different PKI policies but very few products support this (yet)  Mapping info is used during path validation  Bridging can link “islands” and provide superior trust management  Therefore we believe it will become important …

4 4 PKIs are islands of common trust

5 5 They can be ‘networked’

6 6 What this looks like  A Relying Party under (A) can build a path from a Subject under (C)  This avoids the RP having to know and understand Trust Anchors (B) and (C)  But not vice versa  A Relying Party under (A) can build a path from a Subject under (C)  This avoids the RP having to know and understand Trust Anchors (B) and (C)  But not vice versa

7 7 Cross-cert can be done bi-laterally

8 8 A “bridge” serves as the hub of trust

9 9 How does the bridge deal with differences in PKI domain CPs?  Trust is established by Certificate Policy  Each PKI domain has a Trust Anchor  Each domain can specify how it’s policy is met or exceeded by the other domain’s policy  Each can place limits on this trust  If there is no equivalency, one doesn’t trust the other  The bridge does this with respect to each of its member domains  Members must trust the bridge to do this adequately  Each can limit how far it is willing to ‘network’  Trust is established by Certificate Policy  Each PKI domain has a Trust Anchor  Each domain can specify how it’s policy is met or exceeded by the other domain’s policy  Each can place limits on this trust  If there is no equivalency, one doesn’t trust the other  The bridge does this with respect to each of its member domains  Members must trust the bridge to do this adequately  Each can limit how far it is willing to ‘network’

10 10 How CP’s are compared  Identify all important issues in the CP  Organizational responsibilities  Trust affecting issues  Create matrices to organize the comparison  General or common elements  Elements that determine Level of Assurance  Other differentiating elements  Identify all important issues in the CP  Organizational responsibilities  Trust affecting issues  Create matrices to organize the comparison  General or common elements  Elements that determine Level of Assurance  Other differentiating elements

11 11 How mapping is instantiated  A CA’s policy is identified by an OID  One policy may define OIDs to represent variations such as LOA, etc.  CA cross-certificate includes “policy mapping field”  Contents defined by Issuer  Pairs of OIDs  “Issuer considers its CP (OID) to be equivalent to Subject CA’s CP (OID)” [See RFC 3280]  A CA’s policy is identified by an OID  One policy may define OIDs to represent variations such as LOA, etc.  CA cross-certificate includes “policy mapping field”  Contents defined by Issuer  Pairs of OIDs  “Issuer considers its CP (OID) to be equivalent to Subject CA’s CP (OID)” [See RFC 3280]

12 12 Higher Education Bridge CA - HEBCA  Sponsored by EDUCAUSE to support linking campus PKI’s with each other and with sponsored partners  Patterned after the Federal Gov’t FBCA  Will cross-cert with FBCA eventually  Operated at Dartmouth College  Test bridge is running  CP/CPS almost complete  Concern about whether there is enough interest (yet) to justify full operation  Planning to keep test bridge running  Sponsored by EDUCAUSE to support linking campus PKI’s with each other and with sponsored partners  Patterned after the Federal Gov’t FBCA  Will cross-cert with FBCA eventually  Operated at Dartmouth College  Test bridge is running  CP/CPS almost complete  Concern about whether there is enough interest (yet) to justify full operation  Planning to keep test bridge running

13 13 Questions?  dlwasley@earthlink.net

Download ppt "Higher Education Bridge Certification Authority Scaleable Linking of PKI trust domains Scaleable Linking of PKI trust domains David L. Wasley Fall 2006."

Similar presentations

PKI Strategy PKI Requirements Standard –Based on e-MARC or other Certificate Policy Statements –Specify key aspects that must be met by CA Cert format.

PKI Strategy PKI Requirements Standard –Based on e-MARC or other Certificate Policy Statements –Specify key aspects that must be met by CA Cert format.
Local TA Management A TA is a public key and associated data used as the starting point for certificate path validation It need not be a self-signed certificate.

Local TA Management A TA is a public key and associated data used as the starting point for certificate path validation It need not be a self-signed certificate.
PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.

PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.
May 06, 2002 Getting Started with Digital Certificates: Is PKI-Lite Real PKI? Internet2 Spring Meeting 2002 Wash, DC.

May 06, 2002 Getting Started with Digital Certificates: Is PKI-Lite Real PKI? Internet2 Spring Meeting 2002 Wash, DC.
Levels of Assurance: An Overview Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority.

Levels of Assurance: An Overview Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority.
Higher Ed Certificate Authority by CREN October 12, 2000 TERENA Meeting/Paris.

Higher Ed Certificate Authority by CREN October 12, 2000 TERENA Meeting/Paris.
RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.

RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.
Copyright Judith Spencer 2002. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

Copyright Judith Spencer This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
Certificates Last Updated: Aug 29, 2013. A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.

Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.
David L. Wasley Office of the President University of California A PKI Certificate Policy for Higher Education A Work in Progress Draft 0.010 David L.

David L. Wasley Office of the President University of California A PKI Certificate Policy for Higher Education A Work in Progress Draft David L.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
21 mai 2015 Bridges between Certification Authorities.

21 mai 2015 Bridges between Certification Authorities.
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
NIH – EDUCAUSE PKI Interoperability Pilot Update Peter Alterman, Ph.D. Director of Operations, Office of Extramural Research, NIH and Senior Advisor to.

NIH – EDUCAUSE PKI Interoperability Pilot Update Peter Alterman, Ph.D. Director of Operations, Office of Extramural Research, NIH and Senior Advisor to.
MPKI Interoperability I-D ChangeLog from -01 to -02 Jan 16, 2004 Masaki SHIMAOKA SECOM Trust.net.

MPKI Interoperability I-D ChangeLog from -01 to -02 Jan 16, 2004 Masaki SHIMAOKA SECOM Trust.net.
MPKI Interoperability I-D ChangeLog from -00 to -01 Oct 27, 2003 Masaki SHIMAOKA SECOM Trust.net.

MPKI Interoperability I-D ChangeLog from -00 to -01 Oct 27, 2003 Masaki SHIMAOKA SECOM Trust.net.
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
Higher Education Bridge Certificate Authority (HEBCA) Project Progress Fed/Ed June 2005.

Higher Education Bridge Certificate Authority (HEBCA) Project Progress Fed/Ed June 2005.
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
US Higher Ed PKI Activities Internet2/EDUCAUSE ++ TF-EMC2 November, 2004 Amsterdam Michael R Gettes, Duke University TF-EMC2 November, 2004 Amsterdam Michael.

US Higher Ed PKI Activities Internet2/EDUCAUSE ++ TF-EMC2 November, 2004 Amsterdam Michael R Gettes, Duke University TF-EMC2 November, 2004 Amsterdam Michael.

Similar presentations

Ads by Google