Keyprov PSKC spec Philip Hoyer 71-st IETF, Philadelphia.

Slides:



Advertisements
Similar presentations
PKCS-11 Protocol for Enterprise Key Management
Advertisements

1 IETF KEYPROV WG Protocol Basis and Characteristics IEEE P April 11, 2007 Andrea Doherty.
Dynamic Symmetric Key Provisioning Protocol (DSKPP)
XKMS Specifications Phillip Hallam-Baker. Changes Since 1.1 Cosmetic Significant.
Practical Digital Signature Issues. Paving the way and new opportunities. Juan Carlos Cruellas – DSS-X co-chair Stefan Drees - DSS-X.
PKCS #15 v1.1 Magnus Nyström RSA Laboratories PKCS Workshop, 1999.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.
Lecture 23 Internet Authentication Applications
Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.
Internet Engineering Task Force Provisioning of Symmetric Keys Working Group Hannes Tschofenig.
ACE – Design Considerations Corinna Schmitt IETF ACE WG meeting July 23,
Certificate Path Building draft-ietf-pkix-certpathbuild-01.txt Peter Hesse Matt Cooper Yuriy Dzambasow Susan Joseph Richard Nicholas.
COMP4690, by Dr Xiaowen Chu, HKBU
SNMP Simple Network Management Protocol
1 Web Services Security XML Encryption, XML Signature and WS-Security.
14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
The Dynamic Symmetric Key Provisioning Protocol (DSKPP)
A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.
Requirements for DSML 2.0. Summary RFC 2251 fidelity Represent existing directory protocols with new transport syntax Backwards compatibility with DSML.
September, 2005What IHE Delivers 1 ITI Security Profiles – ATNA, CT IHE Vendors Webinar 2006 IHE IT Infrastructure Education Robert Horn, Agfa Healthcare.
DICOM Security Lawrence Tarbox, Ph.D. Chair, WG 14 Mallinckrodt Institute of Radiology Washington University in St. Louis School of Medicine.
Dynamic Symmetric Key Provisioning Protocol (DSKPP) Mingliang Pei Salah Machani IETF68 KeyProv WG Prague.
1 IPFIX Protocol Specifications IPFIX IETF-59 March 3, 2004 Benoit Claise Mark Fullmer Reinaldo Penno Paul Calato Stewart Bryant Ganesh Sadasivan.
(Preliminary) Gap Analysis Hannes Tschofenig. Goal of this Presentation The IETF has developed a number of security technologies that are applicable to.
SAML 2.1 Building on Success. Outline n Summary of SAML 2.0 n Work done since 2.0 n Objectives of SAML 2.1 n Proposed Task List n Undecided Issues n Invitation.
1 The Cryptographic Token Key Initialization Protocol (CT-KIP) KEYPROV BOF IETF-67 San Diego November 2006 Andrea Doherty.
LDAP Items
DSKPP And PSKC: IETF Standard Protocol And Payload For Symmetric Key Provisioning Philip Hoyer Senior Architect – CTO Office.
DSKPP And PSKC: IETF Standard Protocol And Payload For Symmetric Key Provisioning Philip Hoyer Senior Architect – CTO Office.
QUALCOMM Incorporated 1 Protocol Options for BSN- BSMCS Controller Interface Jun Wang, Kirti Gupta 05/16/2005 Notice: Contributors grant a free, irrevocable.
XML Encryption, XML Signature, and Derived Keys: Suggestion For a Minor Addition Magnus Nyström RSA.
OTP-ValidationService John Linn, RSA Laboratories 11 May 2005.
SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.
IETF KeyProv work group: Provisioning of Symmetric Keys.
Comments on draft-ietf-pkix-scvp-19.txt IETF Meeting Paris - August 2005 Denis Pinkas
IETF 57, Vienna1 SDPng Update Dirk Jörg Carsten draft-ietf-mmusic-sdpng-06.txt.
LTANS service and protocol Carl Wallace (on behalf of Peter Sylvester) 6 Aug 2004, 60th IETF, San Diego.
SCIM conference call 4 September Issue #2 Add pagination capability to plural Resource attributes User Group retrieval could be resource intensive,
Introduction for Certificate-based Key Management Design based on Provisioning Tool Samsung Electronics Software R&D Center.
Abierman-netconf-mar07 1 NETCONF WG 68 th IETF Prague, CZ March 19, 2007.
#3: Protocol Document (draft-ietf-drinks-spprov) Presenter: Syed Ali (On behalf of the authors: Ken Cartwright, Syed Ali, Alex Mayrhofer and Jean-Francois.
IETF 54, Yokohama Kutscher/Ott/Bormann 1 SDPng Update Dirk Jörg Carsten draft-ietf-mmusic-sdpng-05.txt.
Design Guidelines Thursday July 26, 2007 Bernard Aboba IETF 69 Chicago, IL.
©2009 HP Confidential1 Proposal to OASIS KMIP TC Stan Feather and Indra Fitzgerald Hewlett-Packard Co. 23 September, 2010 Encoding Options for Key Wrap.
©2009 HP Confidential1 Proposal to OASIS KMIP TC Stan Feather and Indra Fitzgerald Hewlett-Packard Co. 26 October, 2010 Encoding Options for Key Wrap of.
1 G52IWS: Web Services Description Language (WSDL) Chris Greenhalgh
December 14, 2000Securely Available Credentails (SACRED) - Framework Draft 1 Securely Available Credentials (SACRED) Protocol Framework, Draft Specification.
DICOM Security Andrei Leontiev, Dynamic Imaging Presentation prepared by: Lawrence Tarbox, Ph.D. Chair, WG 14 Mallinckrodt Institute of Radiology Washington.
DC Architecture WG meeting Wednesday Seminar Room: 5205 (2nd Floor)
Brian Tung Issues List by Jeff Hutzelman
KeyProv PSKC Specification Philip Hoyer Mingliang Pei Salah Machani 74 nd IETF meeting, San Francisco Nov
Portable Symmetric Key Container (PSKC) Mingliang Pei Philip Hoyer Dec. 3, th IETF, Vancouver.
Keyprov PSKC spec Philip Hoyer 71-st IETF, Philadelphia.
CDB Chris Bonatti (IECA, Inc.) Tel: (+1) Proposed PKI4IPSEC Certificate Management Requirements Document IETF #60 – PKI4IPSEC Working.
Core Assertions Phill Hallam-Baker. Status Waiting for use cases to specify problem Can give a price of specific use case features –Auth-XML / S2ML /
SCVP-28 Tim Polk November 8, Current Status Draft -27 was submitted in June ‘06 –AD requested a revised ID 8/11 –No related discussion on list –Editors.
SDP draft-ietf-mmusic-sdp-new-21.txt Colin Perkins.
KeyProv PSKC Specification Mingliang Pei Authors: P. Hoyer, M. Pei and S. Machani 73 nd IETF meeting, Minneapolis, Nov
IETF Provisioning of Symmetric Keys (keyprov) WG Update WG Chairs: Phillip Hallam-Baker Hannes Tschofenig Presentation by Mingliang Pei 05/05/2008.
Access Policy - Federation March 23, 2016
Portable Symmetric Key Container (PSKC)
IETF Provisioning of Symmetric Keys (keyprov) WG Update
draft-ietf-simple-message-sessions-00 Ben Campbell
Resource Certificate Profile
STIR WG IETF-99 PASSPorT Extension for Resource-Priority Authorization (draft-ietf-stir-rph-00) July, 2017 Ray P. Singh, Martin Dolly, Subir Das, and An.
CPPA3 Overview.
Web-based Imaging Management System Working Group - WIMS
draft-ietf-dtn-bpsec-06
Presentation transcript:

Keyprov PSKC spec Philip Hoyer 71-st IETF, Philadelphia

Agenda  Status update  Discussion points Key Attribute – transmission and extension Current approach SAML attribute assertion schema Current spec example Comparison between current and new proposal Mailing list extension discussion  List of outstanding issues

Status update – changes based on draft - 03 from 22/2/ Completely reworked spec based on an entity description top-down approach 1. Aligned terminology (credential->key) 2. Removed LogoType 3. Adopted xml encryption types within schema 4. Added PINPolicy to allow transmission of PINs 5. Added start and expiry date to device and key entity 6. Removed UserEntity 1. Device -> user binding is via a UserId attribute in device 7. Added examples for PIN transmission and asymmetric wrapping 8. More detailed section on protection methods of payload 1. Added profile of symmetric, password based, key wrapping and asymmetric algorithms referenced also from DSKPP 9. Explicit section on attribute semantics that can be referenced from ASN.1 spec

Discussion: how to transmit key attribute values  Lots of traffic on mailing list  Main points: Need a way to carry “attributes” related to a key  An attribute is not an XML attribute but key related meta- data  Key Attribute model based on name-values is common practice in existing crypto APIs such as PKCS#11 An attribute can be encrypted or plaintext Spec needs to be able to cater for a list of attributes Not all attributes are semantically defined Need to be able to cater for future attributes  Issue got confused between extension of XML elements and attributes and ability to carry a list of not pre-defined key metadata

Current approach to transmit key attributes  Attributes are a list of name value pairs:  Spec defines semantics for reserved attributes eg: COUNTER: the event counter for event based OTP algorithms. 8 bytes unsigned integer in big endian (i.e. network byte order) form base64 encoded

SAML Attribute assertion schema

Current spec attribute example <Key KeyAlgorithm=" KeyId=" "> AnIssuer AprkuA== <xenc:EncryptionMethod Algorithm=" kyzrWTJuhJKQHhZtf2CWbKC5H3LdfAPvKzHHQ8SdxyE= cwJI898rRpGBytTqCAsegaQqPZA= T00:00:00

Comparison between current spec Hannes proposal on mailing list <xenc:EncryptionMethod Algorithm=" 04/xmlenc#aes256-cbc"/> kyzrWTJuhJKQHhZtf2CWbKC5H3LdfAP vKzHHQ8SdxyE= cwJI898rRpGBytTqCAseg aQqPZA= 1234 <xenc:EncryptionMethod Algorithm=" /04/xmlenc#kw-aes128"/> rf4dx3r vEPO0vKtKL14NbeVu8nk= 1234

pros and cons CurrentHannes  Pros Schema is always valid does not need to change for new attributes Way to transmit attributes in line with ASN.1 spec Familiar to crypto programmers (pkcs#11)  Cons Not very XML  Pros More XML style Allows for better typing of plainvalues  Cons Harder to parse Schema needs extension with every new attribute type

Mailing list extension discussion  Chair Phillip Hallam-Baker with Tony Nadalin (IBM) On structured data, distinguish between extending the protocol schema and incorporating lists of tag value pairs:  Using to extend the protocol is bad, you lose the ability to perform schema validation on the protocol elements.  Using for structured tag-value pairs is acceptable and is the prefered method if you have a tag-value pair that you may need to instantiate into multiple schemas. So for example, if X.509 was an XML data format:  Changes to the X.509v3 cert format should use inheritance/subclassing so that the cert can be schema validated.  should be used at the point where X.509v3 requires an OID- Structure pair defining a certificate extension. This allows an extension to be incorporated in Certificates, CRLs, OCSP, etc.  Comment from Anders Rundgren (RSA) A remaining issue is that there is no way figuring out which extensions are understood and supported except by requesting vendor support. X.509 world has a concept known as "non-critical" extensions. On the surface this looks like a great idea (just skip things you don't understand), but the reality is that if you don't support a bunch of these you cannot for example know if a certificate is revoked or not.  Issue - how do we register new key metadata semantics informal RFC? New version of PSKC with specific section about semantics?

Outstanding Issues  Fix a few TODOs: Extend definition of userId for user device binding, current proposal is DN style (OU=Engineering, CN=James…) Add definition of type in DerivedKey Add example of asymmetric key protection in section 6.2  Should plaintext be string instead of base64  Clean up references to OTP algorithm URI in Section Reference Eastlake informational RFC Specify some locally (RSA SecurID, ActivIdentity,others)?  change URI xxx/pskc#valuecompare to xxx/pskc#pin in section 6.3. #valuecompare is not a good name for type of credential (PIN).  Clean up reference section (some reference may not be "Normative" such as OATHRefArch )  More clarification of ValueMac for specific transport security options (eg asymmetric, kw- algos not all HSMs)  Make sure all examples use ‘real key and hash values’  add support of a key template to spec (alignment w/ASN.1 spec)?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.