Presentation is loading. Please wait.

Presentation is loading. Please wait.

Use of AIA for Attribute Certificates

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Use of AIA for Attribute Certificates"— Presentation transcript:

1 Use of AIA for Attribute Certificates d.w.chadwick@kent.ac.uk

2 Background X.509 (2009) working on PMI interworking between domains Defining several new AC extensions for role mappings, attribute hierarchies etc. Needs an extension to point to the superior in a PMI delegation chain AIA is the obvious choice, and this is being used by VOMS in the grid world Last ITU-T meeting in Jeju (May 2006) issued a liaison statement to PKIX group asking if AIA can be used for ACs

3 Verifying Claimed Privilege Privilege Verifier (RP) Bill Alice Bob SOA AA Holder Root CA Signs Alice’s Public Key Bill’s Public Key Bob’s Public Key Issues AC to Issues AC to Issues signed command to Checks delegation of privileges Checks all signatures Checks privilege is sufficient

4 Two types of trust chain need to be followed from a presented AC PKI chain of public key certificates from signer of an AC to a root CA (trust anchor) –Bob’s AC → Alice’s PKC → Root CA PMI chain of attribute certificates from holder of an AC to Source of Authority (SoA) –Bob’s AC → Alice’s AC → Bill SoA

5 Extensions to support trust chains We can use Authority Key Identifier inside holder’s AC to point to PKC of AC issuer –AKI will point to Alice’s PKC, and off we go using existing PKI rules We want to use Authority Information Access inside a holder’s AC to point to AC of AC issuer –AIA will point to Alice’s AC

6 What are the problems with the latest AIA 3280bis-4 text? Quote “The authority information access extension indicates how to access information and services for the issuer of the certificate in which the extension appears” EXCELLENT BUT Quote “This extension may be included in end entity or CA certificates” Q. Does this exclude ACs?? Stephen thinks not. Quote “The id-ad-caIssuers OID is used when the additional information lists certificates that were issued to the CA that issued the certificate containing this extension” Problem. The access method is specifically focussed on CA certificates and does not allow it to be used to point to ACs

7 Resolution Either We define a new access method, id-ad-aaIssuers identical to the current one in syntax, but with a different name, OID and descriptive text Or We modify the existing access method by calling it id-ad- issuers and change the current text from “The id-ad-caIssuers OID is used when the additional information lists certificates that were issued to the CA that issued the certificate containing this extension” to “When the id-ad-issuers OID is used, the additional information lists certificates that were issued to the CA that issued the certificate containing this extension” And change all occurrences of id-ad-caIssuers to id-ad-issuers We can then write appropriate text for id-ad-issuers when it occurs in ACs

Download ppt "Use of AIA for Attribute Certificates"

Similar presentations

Introduction of Grid Security

Introduction of Grid Security
Local TA Management A TA is a public key and associated data used as the starting point for certificate path validation It need not be a self-signed certificate.

Local TA Management A TA is a public key and associated data used as the starting point for certificate path validation It need not be a self-signed certificate.
© 1998-2003 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit.. Page - 1 Seminar on Standardization and ICT Development for the Information.

© ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit.. Page - 1 Seminar on Standardization and ICT Development for the Information.
CS 5511 Introduction to WS Authorization Brian P. Barrett.

CS 5511 Introduction to WS Authorization Brian P. Barrett.
CS5204 – Operating Systems 1 Authentication. CS 5204 – Operating Systems2 Authentication Digital signature validation proves:  message was not altered.

CS5204 – Operating Systems 1 Authentication. CS 5204 – Operating Systems2 Authentication Digital signature validation proves:  message was not altered.
CRL Processing Rules Santosh Chokhani November 2004.

CRL Processing Rules Santosh Chokhani November 2004.
Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.
COEN 350 Public Key Infrastructure. PKI Task: Securely distribute public keys. Certificates. Repository for retrieving certificates. Method for revoking.

COEN 350 Public Key Infrastructure. PKI Task: Securely distribute public keys. Certificates. Repository for retrieving certificates. Method for revoking.
Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.

Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Public Key Management and X.509 Certificates

Public Key Management and X.509 Certificates
Secure Information Sharing Using Attribute Certificates and Role Based Access Control Ganesh Godavari, C. Edward Chow 06/22/2005 University of Colorado.

Secure Information Sharing Using Attribute Certificates and Role Based Access Control Ganesh Godavari, C. Edward Chow 06/22/2005 University of Colorado.
Report on Attribute Certificates By Ganesh Godavari.

Report on Attribute Certificates By Ganesh Godavari.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.

INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.
Wednesday, June 03, 2015 © 2001 TrueTrust Ltd1 PERMIS PMI David Chadwick.

Wednesday, June 03, 2015 © 2001 TrueTrust Ltd1 PERMIS PMI David Chadwick.
The EC PERMIS Project David Chadwick

The EC PERMIS Project David Chadwick

Similar presentations

Ads by Google