Presentation is loading. Please wait.

Presentation is loading. Please wait.

Communications-Electronics Security Group. PKI interoperability issues for UK Government Richard Lampard

Published byOswald Murphy Modified over 8 years ago

Similar presentations

Presentation on theme: "Communications-Electronics Security Group. PKI interoperability issues for UK Government Richard Lampard"— Presentation transcript:

1 Communications-Electronics Security Group

2 PKI interoperability issues for UK Government Richard Lampard Richard.Lampard@cesg.gsi.gov.uk

3 Structure 1.What is CLOUD COVER? 2.Interoperability testing 3.Trust models 4.Wish list 5.Summary

4 1.What is CLOUD COVER? CLOUD COVER aims to ensure that government departments have access to the widest possible range of secure, interoperable and cost effective PKI solutions.

5 2.Interoperability testing CA

6 2.Interoperability testing PCA CA

7 2.Interoperability testing COAST system is very, very simple … … but it took a lot of work to achieve interoperability!

8 2.Interoperability testing Experiences in COAST –misinterpretations of standards e.g. wrong version –encoding problems e.g. DER versus BER, GeneralizedTime vs UTCTime, DN ordering –problems with tools e.g. ASN.1 compiler bugs –dealing with incorrect behaviour e.g. processing certification requests –missing functionality e.g. ARLs –mistakes e.g. keyUsage & basicConstraints –invalid assumptions e.g. populating keyIdentifier –implementation limitations e.g. serial number length

9 2.Interoperability testing Requirement Simple, interoperable solution Fully functional, interoperable solution Fully functional, non-interoperable solution Very hard! Very, very hard indeed!

10 2.Interoperability testing CA Repository

11 HMG Root CA (Baltimore) Ministry of Education (Entrust) Ministry of Works (Baltimore) Ministry of Transport (Entegrity) Ministry of Truth (NIST) Ministry of Plenty (Spyrus) 2.Interoperability testing

12 Conclusion? It doesn’t work!

13 2.Interoperability testing Experiences with testbed: –on-line cross certification relies upon proprietary protocol exchanges, procedures and token standards –certificate extensions not processed –directory schema e.g. same OID representing different object classes –inability to use same Directory –name encoding e.g PrintableString vs TeletextString, RFC 822 address included in DN

14 2.Interoperability testing Manual cross certification between different products is limited –achieved between other products and Notary –using Entegrity PKIBench toolkit –pre-certificate imported to Notary CA –Entegrity token created for it –could develop similar toolkits for all other products

15 2.Interoperability testing What is happening to the IETF!? –divergent working groups (PKIX, SPKI, OpenPGP) –competing PKIX standards (CMC versus CMP) –massive proliferation of standards...

16 2.Interoperability testing  Representation of elliptic curve DSA (ECDSA) keys and signatures in Internet X.509 PKI certificates  Certificate management message formats (CMMF)  Certificate management messages over CMS (CMC)  Caching on-line certificate status protocol  Web based certificate access protocol (WebCAP/1.0)  Enhanced CRL distribution options(OCDP)  Time stamp protocols  Data validation and certification server protocols  PKIX roadmap  Qualified certificates  Diffie-Hellman proof of possession algorithms  An Internet attribute certificate profile for authorisation  Basic event representation token v1  Extending trust in non-repudiation tokens in time  Simple certificate validation protocol (SCVP)  Using HTTP as a transport protocol for CMP  Limited attribute acquisition protocol  RFC 2459 - Certificate and CRL profile  RFC 2510 - Certificate management protocols (CMP)  RFC 2511 – Certificate request message format (CRMF)  RFC 2527 - Certificate policy and certificate practices framework  RFC 2528 – Representation of key exchange algorithm (KEA) keys in Internet X.509 PKI certificates  RFC 2559 – Operational protocols: LDAPv2  RFC 2560 – Online certificate status protocol (OCSP)  RFC 2585 – Operational protocols: FTP and HTTP  RFC 2587 – LDAPv2 schema  Operational protocols: LDAPv3  Limited attribute certificate acquisition protocol  OCSP extensions  Using HTTP as a transport protocol for CMP  Using TCP as a transport protocol for CMP  A string representation of general name – allows representation of GeneralName when not using ASN.1 encoded protocol (e.g. configuration file)  Technical requirements for a non-repudiation service  PKIX profile for IKE – allows use of PKIX certificates with IPSec.

17 3.Trust models B R We would like to use all three in Government... … but we are generally stuck with hierarchies

18 4.Wish list PKI Forum should feed into IETF PKIX WG Don’t forget client interoperability and Directory issues Interoperability should not be exclusive among Forum members Testing service or reference implementation Liaise with other initiatives e.g. ECAF, TIE, Identrus

19 5.Summary Lack of interoperability will be a major problem for UK Government PKI Forum efforts are very welcome Ensure that the work is coordinated with other international efforts

20 Communications-Electronics Security Group

Download ppt "Communications-Electronics Security Group. PKI interoperability issues for UK Government Richard Lampard"

Similar presentations

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.
Practical Digital Signature Issues. Paving the way and new opportunities. www.oasis-open.org Juan Carlos Cruellas – DSS-X co-chair Stefan Drees - DSS-X.

Practical Digital Signature Issues. Paving the way and new opportunities. Juan Carlos Cruellas – DSS-X co-chair Stefan Drees - DSS-X.
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.

TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.

Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
Tim Polk, NIST wpolk@nist.gov PKI Overview Tim Polk, NIST wpolk@nist.gov.

Tim Polk, NIST PKI Overview Tim Polk, NIST
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
The OpenEvidence Project Peter Sylvester, EdelWeb IETF - N° 57, Wien 2003-07-17 PKIX working group.

The OpenEvidence Project Peter Sylvester, EdelWeb IETF - N° 57, Wien PKIX working group.
Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.

Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.
European Signatures versus Global SignaturesRome, 7 April, 2003 EESSI open specifications and interoperability The state of the art in Italy Giovanni Manca.

European Signatures versus Global SignaturesRome, 7 April, 2003 EESSI open specifications and interoperability The state of the art in Italy Giovanni Manca.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.

APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report.
Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.

Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.
CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

Similar presentations

Ads by Google