Presentation is loading. Please wait.

Presentation is loading. Please wait.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.

Published byJulius McDowell Modified over 9 years ago

Similar presentations

Presentation on theme: "Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67."— Presentation transcript:

1 Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67

2 Resource Certificate Profile Background: –This certificate is intended to express a “right-of-use relationship between the subject and an IP number resource set, as certified by the certificate’s issuer –The certificate structure is intended to follow the allocation path – each party certifies their own allocation actions, so that the Issuer’s attestation regarding “right-of-use” mirrors the Issuer’s allocation actions of the number resource to a Subject –The base profile is RFC3280 PKI Certificate Profile and RFC3779 IP Address extensions –The proposed profile for Resource Certificates is in draft-ietf-sidr-res- certs –This draft has been produced by an APNIC editing group, with input from a design team and this WG

3 draft-ietf-sidr-res-certs General constraints: –RFC3779 extensions are a CRITICAL extension and MUST be present, using a sorted canonical representation –An Issuer cannot certify more resources than the Issuer has in existing valid resource certificates –An Issuer cannot certify the same resource to 2 or more distinct Subjects

4 draft-ietf-sidr-res-certs Certificate Fields: Version = 3 Serial Number = positive integer Signature Algorithm = SHA256 with RSA Subject Public Key Info = Minimum bit size of 1024 bits. Intended root certificates should use key size = 2048 bits Basic Constraints = CA ON for allocation certificates, CA = OFF for signing certificates Subject Key Identifier = 160 bit SHA-1 hash of the subject’s public key Authority Key Identifier = 160 bit SHA-1 hash of the issuer’s public key CRLDP =single CRL, with at least an RSYNC:: object URL AIA = publication point of Issuer’s immediate superior certificate (in the form of a PURL), with at least an RSYNC:: object URI SIA = if a CA, publication point of all issued certificates, or if an EE cert, the URL of the object signed with this EE Cert, with at least an RSYNC:: directory URI

5 Draft-ietf-sidr-res-certs Certificate Revocation List Fields Scope = all certificates issued by this CA Version = 2 Authority Key Identifier = 160 bit SHA-1 hash of the issuer’s public key CRL Number = monotonically increasing integer

6 Current Activity The AIA points to the Issuer’s immediate certificate –Define this as an object reference persistent URL (i.e persistent across re-issuance, but not against issuer re-key)

7 Certificate Pointers Issued Certificate Issued Certificates Issuer CA2’s Certificate Store CA2 CA1 SIA (Directory Object) AIA (PURL Object)

8 Refinements to the Profile The AIA points to the Issuer’s immediate certificate –Define this as an object reference persistent URL (i.e persistent across re-issuance, but not against issuer re-key) End Entity (no-CA) Certificates are used as one-off signing certificates –EE cert can be used for a single signing –Private key is destroyed after a single use –EE Cert SIA is a pointer to the object that has been signed with the corresponding private key –Signed object validity and resource attributes are controlled by the associated EE certificate(s)

9 End Entity Certificates 1. Generate Key Pair 2. Generate EE Cert of public key 3. Attach EE Cert to Document 4. Sign with Private Key 5. Destroy Private Key 6. Revoke Signature by revoking EE Cert

10 Refinements to the Profile The AIA points to the Issuer’s immediate certificate –Define this as an object reference persistent URL (i.e persistent across re-issuance, but not against issuer re-key) End Entity (no-CA) Certificates are used as one-off signing certificates –EE cert can be used for a single signing –Private key is destroyed after a single use –EE Cert SIA is a pointer to the object that has been signed with the corresponding private key –Signed object validity and resource attributes are controlled by the associated EE certificate(s) Add the “Security Considerations” section text!

11 Review Comments Examples of Use of Resource Certificates? Example case of a subordinate certificate have a longer validity period than the superior certificate? Is the key size “SHOULD” a minimum or an absolute size? For Signature Algorithm should SHA-384 and SHA-512 be allowed options? Or should this be documented in a CP? Why specify RSYNC access as a “MUST” URI form? What is the normative language here?

12 Next Steps Generate an -03 version post IETF 67 Request WG chair for Last Call on this document

Download ppt "Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67."

Similar presentations

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.
A Profile for Trust Anchor Material for the Resource Certificate PKI Geoff Huston SIDR WG IETF 74.

A Profile for Trust Anchor Material for the Resource Certificate PKI Geoff Huston SIDR WG IETF 74.
Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 70.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 70.
1 APNIC Resource Certification Service Project Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam George Michaelson.

1 APNIC Resource Certification Service Project Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam George Michaelson.
PKI Strategy PKI Requirements Standard –Based on e-MARC or other Certificate Policy Statements –Specify key aspects that must be met by CA Cert format.

PKI Strategy PKI Requirements Standard –Based on e-MARC or other Certificate Policy Statements –Specify key aspects that must be met by CA Cert format.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.

RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.
Overview of draft-ietf-sidr-roa-format-01.txt Matt Lepinski BBN Technologies.

Overview of draft-ietf-sidr-roa-format-01.txt Matt Lepinski BBN Technologies.
CRL Processing Rules Santosh Chokhani November 2004.

CRL Processing Rules Santosh Chokhani November 2004.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Fed/Ed PKI 2008, June Subject Unique Identifier or Equivalent William A. Weems & Mark B. Jones Academic Technology U. Texas Health Science Center at Houston.

Fed/Ed PKI 2008, June Subject Unique Identifier or Equivalent William A. Weems & Mark B. Jones Academic Technology U. Texas Health Science Center at Houston.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
RPKI Validation - Revisited draft-huston-rpki-validation-01.txt Geoff Huston George Michaelson APNIC Slide 1/19.

RPKI Validation - Revisited draft-huston-rpki-validation-01.txt Geoff Huston George Michaelson APNIC Slide 1/19.
RPKI Validation - Revisited draft-huston-rpki-validation-00.txt Geoff Huston George Michaelson APNIC.

RPKI Validation - Revisited draft-huston-rpki-validation-00.txt Geoff Huston George Michaelson APNIC.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Public Key Management and X.509 Certificates

Public Key Management and X.509 Certificates
Review of draft-ietf-sidr-arch-01.txt Steve Kent BBN Technologies.

Review of draft-ietf-sidr-arch-01.txt Steve Kent BBN Technologies.

Similar presentations

Ads by Google