Presentation is loading. Please wait.

Presentation is loading. Please wait.

Michael Myers VeriSign, Inc.

Published byDaniela Townsend Modified over 8 years ago

Similar presentations

Presentation on theme: "Michael Myers VeriSign, Inc."— Presentation transcript:

1 Michael Myers VeriSign, Inc. mmyers@verisign.com
CMC (RFC 2797) Michael Myers VeriSign, Inc.

2 Objectives Industry de-facto standard use of PKCS-10 for certificate requests and PKCS-7 for responses. Primary objectives: Simplify online certificate management by building on existing PKCS7 and PKCS10 practice. Reuse existing security encapsulation mechanism then being standardized as CMS in the IETF. Define core functions useful for automated certificate management. Straw poll of WG at San Jose IETF ratified the need for an alternative.

3 Background VeriSign, Cisco started work earlier.
Went through several variations (including a draft called Certificate Request Syntax (CRS)). Emerged as Certificate Management over CMS (CMC) with Certificate Request Message Format (CRMF) as a by-product. Brian LaMacchia and Jim Schaad are principal technical architects of final versions. Now RFC 2797.

4 Top-Level Requirements
Based as much as possible on the existing CMS, PKCS#10 and CRMF specifications. Support the current industry practice of a PKCS#10 request followed by a PKCS#7 response as a subset of the protocol. Must easily support the multi-key enrollment protocols required by S/MIME and other groups. Must supply a way of doing operations in a single-round trip whenever possible. Enable all key generation to occur on the client. Support mandatory and optional algorithms. Support pending responses to certificate requests for cases where external procedures are required to issue a certificate. Support Registration Authorities.

5 Protocol Overview Standardizes use of bare PKCS-10 for environments with a need for it. Defines a means to “wrap a 10 in a 7”. i.e use of CMS to encapsulate the PKCS 10 object. May also use CRMF instead of a 10. Responses based on CMS signedData. Again, this could be nothing more than a “7”. Or a responseBody in a CMS encapsulation.

6 Services Issuance (direct and deferred) Revocation
Registration authority intervention Certificate/CRL retrieval Replay detection through nonces Transaction management through transaction IDs.

7 Simple request/response
Simple PKI Request Simple PKI Response | PKCS #10 | | CMS "certs-only" | | message | | | | Certificate Request | | | | | | CMS Signed Data, | | Subject Name | | no signerInfo | | Subject Public Key Info | | | | (K_PUB) | | signedData contains one | | Attributes* | | or more certificates in | | | | the "certificates" | | portion of the | | signed with | | signedData | | matching | | | | K_PRIV | | encapsulatedContentInfo | | is empty | | | | unsigned |

8 Full Request/Response
| CMS signedData | | CMS signedData | | object | | object | | | | | | PKIData object | | ResponseBody object | | Sequence of: | | Sequence of: | | <enrollment attribute>* | | <enrollment attribute>* | | <certification request>*| | <CMS object>* | | <CMS objects>* | | <other message>* | | <other message>* | | | | | | where * == zero or more | | where * == zero or more | | | | | | All certificates issued | | Certificate requests | | as part of the response | | are CRMF or PKCS# | | are included in the | | objects. Attributes are | | "certificates" portion | | (OID, ANY defined by | | of the signedData | | OID) pairs | | Relevant CA certs and | | | | CRLs can be included as | | well | | signed (keypair | | | | used may be pre-| | existing or | | signed by the | | identified in | | CA or an LRA | | the request) |

9 Control Attributes ----------------- ---------- --------------
Control Attribute OID Syntax cMCStatusInfo id-cmc CMCStatusInfo identification id-cmc UTF8String identityProof id-cmc OCTET STRING dataReturn id-cmc OCTET STRING transactionId id-cmc INTEGER senderNonce id-cmc OCTET STRING recipientNonce id-cmc OCTET STRING addExtensions id-cmc AddExtensions encryptedPOP id-cmc EncryptedPOP decryptedPOP id-cmc DecryptedPOP lraPOPWitness id-cmc LraPOPWitness getCert id-cmc GetCert getCRL id-cmc GetCRL revokeRequest id-cmc RevokeRequest regInfo id-cmc OCTET STRING responseInfo id-cmc OCTET STRING QueryPending id-cmc OCTET STRING idPOPLinkRandom id-cmc OCTET STRING idPOPLinkWitness id-cmc OCTET STRING idConfirmCertAcceptance id-cmc CMCCertId

10 A few other technical details
Subscriber privacy achieved through use of CMS enveloped data mechanisms. Three transport wrapping options MIME for HTTP and Binary for out of band floppy disk transfer (either bare or MIME) Socket-based using the raw BER encoding. Able to prove identity based on a shared secret. Able to prove possession of encryption-only keys. Able to link identity proof to possession proof.

Download ppt "Michael Myers VeriSign, Inc."

Similar presentations

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Dynamic Symmetric Key Provisioning Protocol (DSKPP)

Dynamic Symmetric Key Provisioning Protocol (DSKPP)
XML Key Management Requirements W3C XML Key Management Working Group Meeting – Dec 9 th, 2001 Frederick Hirsch (Zolera Systems) Mike Just (Entrust)

XML Key Management Requirements W3C XML Key Management Working Group Meeting – Dec 9 th, 2001 Frederick Hirsch (Zolera Systems) Mike Just (Entrust)
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC Open Policy Meeting SIG: Whois Database October 2000 APNIC Certificate Authority.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC Open Policy Meeting SIG: Whois Database October 2000 APNIC Certificate Authority.
SSL Implementation Guide Onno W. Purbo

SSL Implementation Guide Onno W. Purbo
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Overview of draft-ietf-sidr-roa-format-01.txt Matt Lepinski BBN Technologies.

Overview of draft-ietf-sidr-roa-format-01.txt Matt Lepinski BBN Technologies.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
Public Key Superstructure It’s PKI Jim, but not as we know it! 7 th Annual “IDtrust” Symposium 5 March 2008, Gaithersburg MD, USA Stephen Wilson Lockstep.

Public Key Superstructure It’s PKI Jim, but not as we know it! 7 th Annual “IDtrust” Symposium 5 March 2008, Gaithersburg MD, USA Stephen Wilson Lockstep.
SMUCSE 5349/7349 Public-Key Infrastructure (PKI).

SMUCSE 5349/7349 Public-Key Infrastructure (PKI).
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
PUBLIC KEY INFRASTRUTURE Don Sheehy

PUBLIC KEY INFRASTRUTURE Don Sheehy
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report.
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

Similar presentations

Ads by Google