Presentation is loading. Please wait.

Presentation is loading. Please wait.

Revocation in MICS §4.4 May 11-13, 2009 Zürich, Switzerland.

Published byIra Cunningham Modified over 8 years ago

Similar presentations

Presentation on theme: "Revocation in MICS §4.4 May 11-13, 2009 Zürich, Switzerland."— Presentation transcript:

1 Revocation in MICS §4.4 May 11-13, 2009 Zürich, Switzerland

2 15 th EUGridPMA Nicosia meeting – Jan2009 - 2 David Groep – davidg@eugridpma.org Current MICS  4.4 Revocation  If the MICS implements revocation, revocation requests can be made by certificate holders, IdM managers and the MICS CA. These requests must be properly authenticated. Others can request revocation if they can sufficiently prove compromise or exposure of the associated private key.  The IdM manager must suspend or revoke authentication if member data changes or the traceability to the person is lost. Suspension or revocation must last until identity is updated and confirmed according to IdM policies.  Individual holders of a MICS certificate must request revocation if the private key pertaining to the certificate is lost or has been compromised, or if the data in the certificate are no longer valid.

3 15 th EUGridPMA Nicosia meeting – Jan2009 - 3 David Groep – davidg@eugridpma.org Language is ambiguous 4.4 Revocation  If the MICS implements revocation, revocation requests can be made by certificate holders, IdM managers and the MICS CA. These requests must be properly authenticated. Others can request revocation if they can sufficiently prove compromise or exposure of the associated private key.  The IdM manager must suspend or revoke authentication if member data changes or the traceability to the person is lost. Suspension or revocation must last until identity is updated and confirmed according to IdM policies.  Individual holders of a MICS certificate must request revocation if the private key pertaining to the certificate is lost or has been compromised, or if the data in the certificate are no longer valid.

4 15 th EUGridPMA Nicosia meeting – Jan2009 - 4 David Groep – davidg@eugridpma.org 1 st proposal for clarification  The IdM manager must suspend or revoke eligibility to obtain a certificate if traceability to the person is lost, and must ensure any changes to member data pertinent to certificate issuance are promptly made available to the MICS CA on issuance of any new certificate to a member.  And a lot of discussion followed

5 15 th EUGridPMA Nicosia meeting – Jan2009 - 5 David Groep – davidg@eugridpma.org MICS proposal from Marg  The accreditation process must address how the IdM maintains persistence, uniqueness and traceability of each individual person.  Certificates implicitly expire if the IdM can no longer provide persistence, uniqueness, and traceability to the individual.  Upon loss of traceability, the CA Manager must suspend or revoke the ability for that individual to get a MICS certificate and should revoke any already issued certificates unless they expire in less than 1Ms."  which may suggest that you must be able to address the persistence of all possible individuals that might request a cert for each and every individual. Also, the 'implicitly expire' now comes across as something that will magically happen.

6 15 th EUGridPMA Nicosia meeting – Jan2009 - 6 David Groep – davidg@eugridpma.org Updated proposal  The CP/CPS must address how the IdM maintains persistence and traceability for entities that are eligible for a MICS certificate, and how name uniqueness is guaranteed.  Certificates may be left to expire implicitly if the status of the entity in the IdM changes, if and only if traceability information to the individual is retained.  Upon loss of traceability, the CA Manager must suspend or revoke the ability for that individual to get a MICS certificate and should revoke any already issued certificates unless they expire in less than 1Ms.  But also this caused a lot of discussion in the TAGPMA

7 15 th EUGridPMA Nicosia meeting – Jan2009 - 7 David Groep – davidg@eugridpma.org 1 st proposal for clarification  The IdM manager must suspend or revoke eligibility to obtain a certificate if traceability to the person is lost, and must ensure any changes to member data pertinent to certificate issuance are promptly made available to the MICS CA on issuance of any new certificate to a member.  or  The IdM manager must suspend or revoke authentication to the IdM if …  What were the issues with originally proposed clarification?

8 15 th EUGridPMA Nicosia meeting – Jan2009 - 8 David Groep – davidg@eugridpma.org New text? 4.4 Revocation  If the MICS implements revocation, revocation requests can be made by certificate holders, IdM managers and the MICS CA. These requests must be properly authenticated. Others can request revocation if they can sufficiently prove compromise or exposure of the associated private key.  The IdM manager must suspend or revoke authentication to the IdM if member data changes or the traceability to the person is lost. Suspension or revocation must last until identity is updated and confirmed according to IdM policies.  Individual holders of a MICS certificate must request revocation if the private key pertaining to the certificate is lost or has been compromised, or if the data in the certificate are no longer valid.

Download ppt "Revocation in MICS §4.4 May 11-13, 2009 Zürich, Switzerland."

Similar presentations

Usage of PGP in TACAR 19th OGF Meeting Chapel Hill, USA February 1, 2007 Licia Florio Project Development Officer

Usage of PGP in TACAR 19th OGF Meeting Chapel Hill, USA February 1, 2007 Licia Florio Project Development Officer
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.

Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.
RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.

RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.
A responsibility based model EDG CA Managers Meeting June 13, 2003.

A responsibility based model EDG CA Managers Meeting June 13, 2003.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Public Key Management and X.509 Certificates

Public Key Management and X.509 Certificates
Report on Attribute Certificates By Ganesh Godavari.

Report on Attribute Certificates By Ganesh Godavari.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
ARIN 2012-1 Clarifying Requirements for IPv4 Transfers Dan Alexander- Primary Shepherd David Farmer- Secondary Shepherd.

ARIN Clarifying Requirements for IPv4 Transfers Dan Alexander- Primary Shepherd David Farmer- Secondary Shepherd.
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.
CVE-2008-0166, lessons learned and actions David Groep, Nov 7 nd, 2008.

CVE , lessons learned and actions David Groep, Nov 7 nd, 2008.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”
NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.

NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.
IOTA Questions for RPs Sept 9, 2013 Bucharest, Romania.

IOTA Questions for RPs Sept 9, 2013 Bucharest, Romania.
Large-scale issuing of host certs in a member-integrated or institutional CA environment.

Large-scale issuing of host certs in a member-integrated or institutional CA environment.
Configuring Directory Certificate Services Lesson 13.

Configuring Directory Certificate Services Lesson 13.
SECURITY MANAGEMENT Key Management in the case of public-key cryptosystems, we assumed that a sender of a message had the public key of the receiver at.

SECURITY MANAGEMENT Key Management in the case of public-key cryptosystems, we assumed that a sender of a message had the public key of the receiver at.

Similar presentations

Ads by Google