Presentation is loading. Please wait.

Presentation is loading. Please wait.

Directories and PKI Keith Hazelton Senior IT Architect, UW-Madison PKI Summit, Snowmass, 9-Aug-01.

Published byShauna Lewis Modified over 8 years ago

Similar presentations

Presentation on theme: "Directories and PKI Keith Hazelton Senior IT Architect, UW-Madison PKI Summit, Snowmass, 9-Aug-01."— Presentation transcript:

1 Directories and PKI Keith Hazelton Senior IT Architect, UW-Madison PKI Summit, Snowmass, 9-Aug-01

2 Agenda PKI and Directories: Complementary Middleware Services Directories for Certificate Management Directories for Authorization Information: Attributes and Roles Directory Support for Privacy and Other Security Services Work Items for Consideration

3 PKI and Directories are Complementary Credo: Middleware services assist application roll-out Applications bring people and services together …in a controlled fashion We need both directory and security services to do apps But PKI and Directory complementary in a stronger sense Most I’s in PKI hand off key functions to directories Not all do (see PKI Ultra-Lite) Secure directories of the future may leverage PKI for PAIN –P rivacy, A uthentication, I ntegrity, N on-repudiation

4 Directories for Certificate Management Certificate management services via directories Certificate Repository Where apps can find X.509 certificates Find the person entry, then look for userCertificate attribute –Carl Ellison asks: How do you know you’ve got the right Tom Smith? Open question: as we issue multiple certificates, how do we get the right one?

5 Directories for Certificate Management Certificate Revocation Lists (CRLs) Certs can contain a CRL Distribution Point extension That extention MAY contain a URI pointing to the CRL Needed because vision of a global X.500 directory remains just that An alternative to CRLs is the Online Certificate Status Protocol (OCSP) service Certs can contain an Authority Information Access extension That extension MAY contain the name for an associated OCSP server

6 Directories for Certificate Management Certificate Repositories and CRLs Commercial PKI software suites may do this for you However, you will need to integrate with enterprise directory If you roll your own PKI, this is an item on the long list of tasks NOTE: PKI Lite and Ultra-Lite can live without directories Signed, encrypted email Simple access control to web pages

7 Directories for Authorization Info Attributes and Roles tend to live in directories Good place to put them so apps can find them easily Proposed principle: Whatever else we do, let’s issue simple Identity certificates as a first step Why? Such a cert merely asserts a binding between a public key and a principal (a person, for this discussion) That assertion is likely to remain valid for some time Lessens frequency of revocation, reissuance But it creates a need for tight PKI-Directory integration PRIVACY ALERT!!! Threat to anonymity

8 Directories for Authorization Info Identity certificates and PKI-Directory integration Use the certificate for the authentication step Access control decisions depend on role-service mappings Roles are carried by authenticated principals So given a cert, app must be able to learn more about the subject Subject field in the certificate is a Distinguished Name (DN) So if we know where to look, we can ask more about subject

9 Directories for Authorization Info Identity certificates and PKI: Where should we go to ask more about subject? A good use for the Directory of Directories for Higher Education (?) For Federal PKI, reliance on X.500 chaining and referrals (?) What about apps that are supposed to work in both domains? Once you’ve found the directory, a simple lookup will find the subject’s full entry

10 Directories for Authorization Info More on Role-Service Mappings: Our policies (institutional and inter-institutional) will determine which roles (or groups) are eligible for which services In turn, roles and groups are defined by policy or business practice

11 Directories for Authorization Info More on Role-Service Mappings: Directories are the logical place to express roles and group memberships Groups in directories is a current hot item for MACE-Dir Communities of interest will need to define roles and groups Communities of interest will need to be in deep agreement Two basic varieties of groups: attribute based and ad hoc

12 Directories for Authorization Info What if we opt for attribute certificates? The directory is still the place to find authoritative attribute assertions from which to build attribute certificates Shifts the burden of community of interest agreement from directory schema to attribute certificate profiles

13 Directory Support for Privacy PRIVACY ALERT!! A simple Identity certificate will lead you right to the cache of information in the bearer’s directory entry One counter-measure: Control access to directory Means directory clients must themselves authenticate to directory Means non-person security principals Means directory support for access control information –How fine-grained? –Not yet standardized (LDAP-Ext work in progress) Another avenue: Pseudonymous Identity Certificates The DN of the subject of a pseudonymous cert reveals nothing about the subject

14 Directory Support for Privacy Pseudonymous Identity Certificates: Inspired by DLF, shaped by MACE-Shibboleth The DN of the subject of a pseudonymous cert reveals nothing about the subject Paired with authenticated binds to the directory, a powerful privacy protection mechanism “I’m App X, tell me about “XhJSedrtE’” But means more work for the PKI-Directory Integration Team And if persistent, nefarious interests can leverage it

15 Directory Support for Info Integrity The higher the risk, the more we must secure our directories One aspect is directory client confidence in the returned attributes Signed assertions as attributes in the directory I can decide if I trust the signer of the assertion I can be assured that the attribute value has not been altered in transit See Oasis-open work on Security Assertions Markup Language (SAML) Rare vendor convergence (except MS) on ways to express authentication and authorization assertions

16 Caution: Work Zone Ahead Repositories and CRL services in roll-your-own PKIs Integration of PKI Suite repositories with enterprise directory How do we get the right cert from the repository? Picking the apps to work on first (avoiding insanity and ennui) Community of interest role definition and maintenance

17 Caution: Work Zone Ahead Support for pseudonymous identity certificates Support for privacy and other security services (big) Oh yes, what about support for mobility (IETF-Sacred) OID-vey Policies are coming: CP, sure, but DP!?!?!

18 Your Turn Q & A & Discussion

Download ppt "Directories and PKI Keith Hazelton Senior IT Architect, UW-Madison PKI Summit, Snowmass, 9-Aug-01."

Similar presentations

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
OOI-CI–Ragouzis–2007.10.15 Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop 17-19 October 2007.

OOI-CI–Ragouzis– Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop October 2007.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
Extended Validation Models in PKI Alternatives and Implications Marc Branchaud John Linn

Extended Validation Models in PKI Alternatives and Implications Marc Branchaud John Linn
CRL Processing Rules Santosh Chokhani November 2004.

CRL Processing Rules Santosh Chokhani November 2004.
Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.

Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.

PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
Key Management public-key encryption helps address key distribution problems have two aspects of this: –distribution of public keys –use of public-key.

Key Management public-key encryption helps address key distribution problems have two aspects of this: –distribution of public keys –use of public-key.
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

Similar presentations

Ads by Google