Presentation is loading. Please wait.

Presentation is loading. Please wait.

Using SCVP to Convey Evidence Records Carl Wallace Orion Security Solutions.

Published byBlanche Anderson Modified over 8 years ago

Similar presentations

Presentation on theme: "Using SCVP to Convey Evidence Records Carl Wallace Orion Security Solutions."— Presentation transcript:

1 Using SCVP to Convey Evidence Records Carl Wallace Orion Security Solutions

2 Motivation LTAP has not been defined yet –Most early discussions and precursor specifications incorporated certification path information for the original document signer in the innermost layer of the ERS structure –Preservation layers cover this information This freezes the context in which the Evidence Record can be validated –Ideally verification context can move independently from original document EvidenceRecord structure does not cover validation information for TSAs SCVP servers will handle a large amount of artifacts and could serve as a convenient point of preservation I-D uses ERS and is complementary to the TBD LTAP specification

3 SCVP SCVP provides a means of building and validating certification paths relative to any point in time, i.e. SCVP servers can provide historical validation artifacts –SCVP does not define any preservation mechanisms to support validation relative to times in the past SCVP is extensible –By defining new wantBack types, validation relative to times in the past can be performed using EvidenceRecords that cover the validation information

4 SCVP/ERS Mechanics SCVP/ERS I-D specifies 6 OIDs and 2 structures OIDs correspond to existing SCVP wantBack OIDs used to return information such as public key certificates, certification paths or revocation information The resulting replyWantBack is an EvidenceRecord structure (as defined in ERS) that covers the value of the corresponding replyWantBack –For example, if a client requests id-swb-best-cert-path and id-swb-ers-best-cert-path, the resulting response will contain a two replyWantBacks: the path as a CertificateBundle and an EvidenceRecord. The evidence record in the id-swb-ers-best-cert-path replyWantBack covers the DER encoded CertificateBundle returned in the id-swb-best-cert-path replyWantBack.

5 SCVP/ERS Mechanics (continued) OIDPurpose *id-swb-ers-pkc-certRequest/return ERS for target certificate * id-swb-ers-best-cert-pathRequest/return ERS for certification path * id-swb-ers-revocation-infoRequest/return ERS for revocation info id-swb-partial-cert-pathRequest/return partial certification path (TA->target issuer’s certificate) id-swb-ers-partial-cert-pathRequest/return ERS for partial certification path (permits ERS to be calculated over paths not including target certificates) id-swb-ers-allRequest/return ERS for each other requested wantBack * Correspond to existing SCVP wantBacks

6 SCVP/ERS Mechanics (continued) Structure to support returning an ERS for any arbitrary wantBack is as follows EvidenceRecordWantBack ::= SEQUENCE { targetWantBack OBJECT IDENTIFIER, evidenceRecord EvidenceRecord OPTIONAL } EvidenceRecordWantBacks ::= SEQUENCE SIZE (1...MAX) OF EvidenceRecordWantBack

7 Issues When a client includes a id-swb-pkc-cert as a requestWantBack, the server returns the certificate in the body of the response, not as a replyWantBack –For mechanism in this ID to work, the target certificate would need to be returned as a replyWantBack This could be accomplished by defining a new OID to request target certificate as a replyWantBack Approach in this ID potentially increases the number ERS validations that must be performed –A client may need to retrieve and verify an ERS for an archived data object, for a partial certification path, for a target certificate and for revocation information –On the positive side, servers need not preserve validation information for each archived data object and validation context is not fixed

8 Issues (continued) No client-side control or awareness of cryptographic maintenance policy –Policy is part of server configuration Data may not be submitted for archiving (i.e., server collects data) –EvidenceRecord definition may need modification if policy must be apparent to clients during validation Could go in CryptoInfos ERS does not define any extensible fields except at outermost layer Validation of EvidenceRecords may require additional requests to verify historical TSA signatures –E.g., a single request could be used to determine status of all TSAs in an EvidenceRecord and any signers on the archived data object, but the resulting response may include EvidenceRecords generated by different TSAs

Download ppt "Using SCVP to Convey Evidence Records Carl Wallace Orion Security Solutions."

Similar presentations

Reporting Workflow Rita Noumeir, Ph.D. IHE Technical Committee.

Reporting Workflow Rita Noumeir, Ph.D. IHE Technical Committee.
April 23, 20021 XKMS Requirements Update Frederick Hirsch, Mike Just April 23, 2002 Goals Requirements Summary –General, Security Last Call Issues –For.

April 23, XKMS Requirements Update Frederick Hirsch, Mike Just April 23, 2002 Goals Requirements Summary –General, Security Last Call Issues –For.
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC Open Policy Meeting SIG: Whois Database October 2000 APNIC Certificate Authority.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC Open Policy Meeting SIG: Whois Database October 2000 APNIC Certificate Authority.
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
Claudia Diaz, Hannelore Dekeyser, Markulf Kohlweiss, Girma Nigusse K.U.Leuven IDIS Workshop 29/05/2008 [Work done in the context of the ADAPID project]

Claudia Diaz, Hannelore Dekeyser, Markulf Kohlweiss, Girma Nigusse K.U.Leuven IDIS Workshop 29/05/2008 [Work done in the context of the ADAPID project]
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
PKI Artifact Retention March 2006. Purpose Current drafts are silent on how refreshed timestamp chains will be verified –i.e., from where will the various.

PKI Artifact Retention March Purpose Current drafts are silent on how refreshed timestamp chains will be verified –i.e., from where will the various.
M.Sc. Hrvoje Brzica Boris Herceg, MBA Financial Agency – FINA Ph.D. Hrvoje Stancic, assoc. prof. Faculty of Humanities and Social Sciences Long-term Preservation.

M.Sc. Hrvoje Brzica Boris Herceg, MBA Financial Agency – FINA Ph.D. Hrvoje Stancic, assoc. prof. Faculty of Humanities and Social Sciences Long-term Preservation.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.

APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report.
Pertemuan 16 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan 16 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
PAWN: A Novel Ingestion Workflow Technology for Digital Preservation

PAWN: A Novel Ingestion Workflow Technology for Digital Preservation
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

Similar presentations

Ads by Google