Presentation is loading. Please wait.

Presentation is loading. Please wait.

“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.

Published byTobias Baker Modified over 8 years ago

Similar presentations

Presentation on theme: "“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop."— Presentation transcript:

1 “Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop

2 2 Topics What is a CP and CPS What is in a CP and CPS Levels of Assurance HEPKI ‘generic’ CP PKI-lite CP/CPS Commercial CPs PKI and Federations

3 3 x.509 Section 8.1.1 [The x.509] framework contains three types of entity: the certificate user, the certification authority and the certificate subject (or end- entity). Each entity operates under obligations to the other two entities and, in return, enjoys limited warranties offered by them. These obligations and warranties are defined in a certificate policy. Definition of the policy [is] performed by a policy authority. The set of policies administered by a policy authority is called a policy domain. Each entity may be bound to its obligations under the certificate policy in various ways such as by the act of importing an authority public key and using it as a trust anchor, by issuing a certificate that includes the associated policy identifier, or by accepting a certificate that includes the associated policy identifier and using the corresponding private key. A certification authority may place limitations on the use of its certificates, in order to control the risk that it assumes as a result of issuing certificates.

4 4 IETF RFC 3647 When a CA issues a certificate, it is providing a statement to a relying party that a particular public key is bound to the some attribute of a particular entity, shown as the certificate subject. The extent to which the relying party should rely on that statement by the CA, however, needs to be assessed by the relying party applications using certificates. Different certificates are issued following different practices and procedures, and may be suitable for different applications and/or purposes. CPs also constitute a basis for an audit or other assessment of a CA. When one CA issues a CA-certificate for another CA, the issuing CA must assess the set of certificate policies for which it trusts the subject CA. The appropriate set of certificate policies is then indicated by the issuing CA in the CA-certificate. The X.509 certification path processing logic employs these CP indications in its defined trust model.

5 5 Certification Policy An attempt to reassure a Relying Party of the trustworthiness of the certificate signature and the binding between the public key and the entity represented in the Subject fields Should be appropriate for the intended uses of issued certificates - not more burdensome Is an implied contract … Should be used in validating a certification path but few applications do so (yet).

6 6 What’s in a CP CA Organization, purpose, community PA, OA, RA, Subjects, appropriate uses Information repositories Published certificates and other info. Identification of certificate subjects ID verification required, DN’s allowed, etc. Certificate lifecycle management Issuing, changing, revoking, renewing,...

7 7 What’s in a CP (cont.) CA facility management Physical, procedural, personnel, audit logs,... Technical security controls CA key gen, key sizes, archive, system,... Certificate, CRL, OCSP profiles Defines what’s in a cert and CRL Compliance audit, changes, etc. Ensuring trust and continuity

8 8 What’s in a CPS How the specifications in the CP are implemented May contain important information for Relying Parties or cross certification evaluation The CPS is made public at the cpsURI Points to the CP Some information, e.g. location of the CA or security measures, is in a non-public doc.

9 9 CP Contents (RFC 3647) 1. INTRODUCTION & OVERVIEW 2. PUBLICATION AND REPOSITORY RESPONSIBILITIES 3. IDENTIFICATION AND AUTHENTICATION OF SUBJECTS 4. CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS 5. FACILITY, MANAGEMENT, AND OPERATIONAL CONTROLS 6. TECHNICAL SECURITY CONTROLS 7. CERTIFICATE, CRL, AND OCSP PROFILES 8. COMPLIANCE AUDIT AND OTHER ASSESSMENTS 9. OTHER BUSINESS AND LEGAL MATTERS

10 10 Levels of Assurance The certificate CP OID may refer to a subset of the CP document that defines a particular “level of assurance” for the certificate Based on operational and technical requirements Intended to accommodate varying use cases Federal PKI defines at least four Rudimentary, Basic, Medium, High

11 11 HEPKI “generic” CP Circa 2002 Based on the FPKI CP at the time Same 4+ initial levels of assurance Should enable cross-certification with the FBCA Intended to be (fairly) easily adopted by HE campuses Needs to be converted to RFC 3647 format Will be done if/when there is sufficient interest See http://middleware.internet2.edu/certpolicies/http://middleware.internet2.edu/certpolicies/

12 12 PKI-lite CP/CPS Pragmatic approach to PKI policy framework Basically “whatever you do now to issue on-line IDs” Should be good enough for a lot of H.E. apps S/MIME Better on-line credentials for internal campus apps Proof of concept for advanced apps USHER is based on this model (more later) Intended to alleviate a perceived roadblock to broader PKI use

13 13 PKI Domains & Trust Anchors A PKI Domain is a set of CAs conforming to the same policy A Trust Anchor is the highest level CA in a hierarchy that implements that policy Trust is based on understanding the policy Applications may be configured to look for a LOA Your browser contains 100+ Trust Anchors The PKI trust model is based on accepting certificates that are issued under a policy that the Relying Party understands - i.e. “trusts”

14 14 Commercial PKI CPs Commercial PKI vendors have CPs that protect their business interests You may or may not be comfortable with them May be very different than RFC 3647 Thus hard to compare … Applications are beginning to care How do they pre-configure for 100+ CPs?! Read them carefully before you sign up

15 15 PKI and Identity Federations PKI is complementary to Federations PKI provides the credential Federation provides the identity information Therefore, Federations need “policy” too We’re just beginning to understand this implication Federation operators could serve as trust brokers, in much the same way as PKI bridges

16 16 Questions? dlwasley@earthlink.net

Download ppt "“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop."

Similar presentations

PKI Strategy PKI Requirements Standard –Based on e-MARC or other Certificate Policy Statements –Specify key aspects that must be met by CA Cert format.

PKI Strategy PKI Requirements Standard –Based on e-MARC or other Certificate Policy Statements –Specify key aspects that must be met by CA Cert format.
PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.

PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.
May 06, 2002 Getting Started with Digital Certificates: Is PKI-Lite Real PKI? Internet2 Spring Meeting 2002 Wash, DC.

May 06, 2002 Getting Started with Digital Certificates: Is PKI-Lite Real PKI? Internet2 Spring Meeting 2002 Wash, DC.
PKI and LOA Establishing a Basis for Trust David L. Wasley PKI Deployment Forum April 2008.

PKI and LOA Establishing a Basis for Trust David L. Wasley PKI Deployment Forum April 2008.
Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.

Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.
Levels of Assurance: An Overview Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority.

Levels of Assurance: An Overview Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.

Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.

RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.
1 © Cooley Godward 2001 PKI A SSESSMENT The process of evaluating, verifying, and certifying your PKI Presented by: Randy V. Sabett Vanguard Enterprise.

1 © Cooley Godward 2001 PKI A SSESSMENT The process of evaluating, verifying, and certifying your PKI Presented by: Randy V. Sabett Vanguard Enterprise.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
David L. Wasley Office of the President University of California A PKI Certificate Policy for Higher Education A Work in Progress Draft 0.010 David L.

David L. Wasley Office of the President University of California A PKI Certificate Policy for Higher Education A Work in Progress Draft David L.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Jaroslav Pinkava May 2001 Certification Authority in Praxis. Security Aspects. Conference Security and Protection of Information Ing. Jaroslav Pinkava,

Jaroslav Pinkava May 2001 Certification Authority in Praxis. Security Aspects. Conference Security and Protection of Information Ing. Jaroslav Pinkava,
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

Similar presentations

Ads by Google