Presentation is loading. Please wait.

Presentation is loading. Please wait.

Path Construction “It’s Easy!” Mark Davis. Current WP Scope u Applications that make use of public key certificates have to validate certificate paths.

Published byStephany Burns Modified over 8 years ago

Similar presentations

Presentation on theme: "Path Construction “It’s Easy!” Mark Davis. Current WP Scope u Applications that make use of public key certificates have to validate certificate paths."— Presentation transcript:

1 Path Construction “It’s Easy!” Mark Davis

2 Current WP Scope u Applications that make use of public key certificates have to validate certificate paths. u Before validating a certificate path, it is first necessary to construct that path. u This means finding a set of certificates that appears to chain up to a trust point. u This white paper describes issues that implementers of PKI technology have to face when developing certificate path construction code, for example, considering issues with different sources of certificates (LDAP, databases etc) and how to avoid "loops".

3 So What is the Problem? u Does not seem to work in the real world u Brought up as area of interest at first PKI Forum u Standards seem to address the problem u Objectives: –Identify parts of the task –Describe the problem –How can PKI Forum make progress?

4 Path Construction u Want to validate a certificate u You have some trusted roots u Each certificate has “issuer name” –May have other information u Path validation described in standards –Start with root –Check each cert (cert, policy, revocation status) –When check of cert of interest complete, then work is done

5 No Problem. Well … u Finding the certificates –Mostly an LDAP problem u Finding a path –Graph theory problem u Checking a path –Good news! Recognizable correct answer –Whose rules Certificate may or may not contain standard profile Roots may be from different profiles

6 #1 Finding Missing Certificate u Can’t identify certificate –DN non proper –Cert storage not related to Issuer DN –LDAP u “Path Policy” may not use X.509 certificates –PKCS #7 u Interdomain directory authorization problems

7 #2 Finding the path u Assuming you can find the certificates u In real life, number of certificates well bounded u Graph traversal algorithms well understood –I admit that building routing algorithms is hard. But somebody else already did it. –We do not introduce new problems u Each Cert Issuer -> Issue Cert link must be handled by SW u Partial Path’s –SW must parse partial path and maintain like as above

8 Other Problems u…u…

9 What does the paper need to say – Mark’s Version u LDAP is hard (see LDAP WP) u Sometimes you don’t use LDAP to get Certificates (see …) u Graph Traversal is hard (see Knuth) u Path construction is easy!

10 What does the paper need to say – WG Consensus Version u List the problems with LDAP u Recommend protocols and business logic solve as much as problem as possible u Error Handling needs guidance u CA-CA paper must give guidance to bound path construction u Path construction may be a resource intensive –server may be better than on small device u Environmental impacts described

Download ppt "Path Construction “It’s Easy!” Mark Davis. Current WP Scope u Applications that make use of public key certificates have to validate certificate paths."

Similar presentations

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
File Server Organization and Best Practices IT Partners June, 02, 2010.

File Server Organization and Best Practices IT Partners June, 02, 2010.
SOFTWARE TESTING. INTRODUCTION  Software Testing is the process of executing a program or system with the intent of finding errors.  It involves any.

SOFTWARE TESTING. INTRODUCTION  Software Testing is the process of executing a program or system with the intent of finding errors.  It involves any.
Extended Validation Models in PKI Alternatives and Implications Marc Branchaud John Linn

Extended Validation Models in PKI Alternatives and Implications Marc Branchaud John Linn
CRL Processing Rules Santosh Chokhani November 2004.

CRL Processing Rules Santosh Chokhani November 2004.
1 Lecture 13: Public Key Infrastructure terms PKI trust models –monopoly with registration authorities with delegated certificate authorities –oligarchy.

1 Lecture 13: Public Key Infrastructure terms PKI trust models –monopoly with registration authorities with delegated certificate authorities –oligarchy.
Validation Algorithms for a Secure Internet Routing PKI David Montana Mark Reynolds BBN Technologies.

Validation Algorithms for a Secure Internet Routing PKI David Montana Mark Reynolds BBN Technologies.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Fed/Ed PKI 2008, June Subject Unique Identifier or Equivalent William A. Weems & Mark B. Jones Academic Technology U. Texas Health Science Center at Houston.

Fed/Ed PKI 2008, June Subject Unique Identifier or Equivalent William A. Weems & Mark B. Jones Academic Technology U. Texas Health Science Center at Houston.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
PKIF TWG Report 29 June 2000 Mark Davis Andrew Nash et al.

PKIF TWG Report 29 June 2000 Mark Davis Andrew Nash et al.
MPKI Interoperability I-D ChangeLog from -01 to -02 Jan 16, 2004 Masaki SHIMAOKA SECOM Trust.net.

MPKI Interoperability I-D ChangeLog from -01 to -02 Jan 16, 2004 Masaki SHIMAOKA SECOM Trust.net.
MPKI Interoperability I-D ChangeLog from -00 to -01 Oct 27, 2003 Masaki SHIMAOKA SECOM Trust.net.

MPKI Interoperability I-D ChangeLog from -00 to -01 Oct 27, 2003 Masaki SHIMAOKA SECOM Trust.net.
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.

PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.
APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.

APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.

Similar presentations

Ads by Google