Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Trusted Transitive Introduction Max Pritikin (Presentation by Cullen Jennings) Revision A.

Published byKristian Watts Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Trusted Transitive Introduction Max Pritikin (Presentation by Cullen Jennings) Revision A."— Presentation transcript:

1 1 Trusted Transitive Introduction Max Pritikin pritikin@cisco.com (Presentation by Cullen Jennings) fluffy@cisco.com Revision A

2 222 Introduction Enrollment protocols already exist CMC, CMP, others All of these depend on undefined Out-of-Band steps “problem” Trusted Transitive Introduction (TTI) is a proposed model for this Out-of-Band exchange

3 333 What is exchanged out-of-band? The ‘entity label’ for the service consumer Generalized: some configuration information A piece of keying information to be used Raw symmetric key Raw public key Fingerprints of public key A set of permissions for operations for the service consumer Authorization for the impending enrollment (from the charter)

4 444 Out-of-Band Introduction Petitioner The device joining a secure domain. “client” Registrar The authentication & authorization infrastructure of the secure domain. “server” Post Introduction Secure Communication The introduction via a phone call, email, floppy disk, in house provisioning system, smartcard, etc Existing authentication and authorization infrastructure between user/ administrator and Petitioner device Existing authentication and authorization infrastructure between user/ administrator and Registrar device

5 555 Transitive Trusted Introduction (TTI) Introducer Performs the introduction. “user” Post Introduction Secure Communication Introduction is not a negotiation, order does not matter! Existing authentication and authorization infrastructure between user/ administrator and Petitioner device Existing authentication and authorization infrastructure between user/ administrator and Registrar device Petitioner The device joining a secure domain. “client” Registrar The authentication & authorization infrastructure of the secure domain. “server”

6 666 EXAMPLE: Joining device to a service Petitioner Registrar Post Introduction Secure Communication 1. Device is purchased. 2. Configuration of device by owner. 3. Device is introduced to a network server. User service provider Introduction Data exchanged: Service Provider Key material collected Configuration information (e.g. enrollment URL) collected Petitioner Introduction Data sent Introduction Data exchanged: Petitioner Key material collected Configuration information collected (e.g. capabilities) Registrar Introduction Data sent Introducer

7 777 Imprinting New devices IMPRINT on the first infrastructure they meet From a pure model perspective this is entirely true. There is no alternative. Any out-of-band mechanism depends on the admin/user using this imprint for initial configuration anyway

8 888 Summary— Introduction, Introduction, Introduction Introduction is the hard part of enrollment Introduction can happen in different orders Before any enrollment protocol there is an introduction exchange that takes place. This has been characterized as an "out-of-band" exchange of data and has normally been identified as out-of-scope. It is my argument that it is in scope and can be best solved using the Trusted Transitive Introduction model. This WG should work on an introduction protocol

9 999 EXTRA SLIDES TO FOLLOW Below is an example of using TTI to introduce a VPN network device to a corporate VPN network. These slides show a Cisco SOHO device instantiation of the TTI model.

10 10 Browser based TTI of a VPN device Welcome The HTML form(s) displayed by the Petitioner Introduction The HTML form(s) displayed by the Authority Completion The final HTML form(s) displayed by the Petitioner User Interface ‘wizard’ just to show how easy this can be for a user

11 11 Welcome phase

12 12 Introduction phase Mfgr Cert Serial Number Enter serial number from the back of the device:

13 13 Completion phase

Download ppt "1 Trusted Transitive Introduction Max Pritikin (Presentation by Cullen Jennings) Revision A."

Similar presentations

SIP and Instant Messaging. www.dynamicsoft.com SIP Summit 2001 5.01.01 SIP and Instant Messaging What Does Presence Have to Do With SIP? How to Deliver.

SIP and Instant Messaging. SIP Summit SIP and Instant Messaging What Does Presence Have to Do With SIP? How to Deliver.
1 IETF KEYPROV WG Protocol Basis and Characteristics IEEE P1619.3 April 11, 2007 Andrea Doherty.

1 IETF KEYPROV WG Protocol Basis and Characteristics IEEE P April 11, 2007 Andrea Doherty.
5/30/2012. Provides a method for finding services/data on the Exchange Network – discover data. Supports User Friendly Tools Can automatically collect.

5/30/2012. Provides a method for finding services/data on the Exchange Network – discover data. Supports User Friendly Tools Can automatically collect.
URP Usage Scenarios for NAS Yoshihiro Ohba August 2001 Toshiba America Research, Inc.

URP Usage Scenarios for NAS Yoshihiro Ohba August 2001 Toshiba America Research, Inc.
Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.

SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.
Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.

Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.
Hannes Tschofenig (IETF#79, SAAG, Beijing). Acknowledgements I would like to thank to Pasi Eronen. I am re- using some of his slides in this presentation.

Hannes Tschofenig (IETF#79, SAAG, Beijing). Acknowledgements I would like to thank to Pasi Eronen. I am re- using some of his slides in this presentation.
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter 10 Securing Exchange Server 2003.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter 10 Securing Exchange Server 2003.
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
Figure 1: SDR / MExE Download Framework SDR Framework Network Server Gateway MExE Download + Verification Using MExE Repository (Java sandbox) MExE Applet.

Figure 1: SDR / MExE Download Framework SDR Framework Network Server Gateway MExE Download + Verification Using MExE Repository (Java sandbox) MExE Applet.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
9,825,461,087,64 10,91 6,00 0,00 8,00 SIP Identity Usage in Enterprise Scenarios IETF #64 Vancouver, 11/2005 draft-fries-sipping-identity-enterprise-scenario-01.txt.

9,825,461,087,64 10,91 6,00 0,00 8,00 SIP Identity Usage in Enterprise Scenarios IETF #64 Vancouver, 11/2005 draft-fries-sipping-identity-enterprise-scenario-01.txt.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Notes to the presenter. I would like to thank Jim Waldo, Jon Bostrom, and Dennis Govoni. They helped me put this presentation together for the field.

Notes to the presenter. I would like to thank Jim Waldo, Jon Bostrom, and Dennis Govoni. They helped me put this presentation together for the field.
1 CS 502: Computing Methods for Digital Libraries Lecture 22 Web browsers.

1 CS 502: Computing Methods for Digital Libraries Lecture 22 Web browsers.
Exchange server 2003. Mail system Four components Mail user agent (MUA) to read and compose mail Mail transport agent (MTA) route messages Delivery agent.

Exchange server Mail system Four components Mail user agent (MUA) to read and compose mail Mail transport agent (MTA) route messages Delivery agent.
Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.

Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.
Mobile Data Sharing over Cloud Group No. 8 - Akshay Kantak - Swapnil Chavan - Harish Singh.

Mobile Data Sharing over Cloud Group No. 8 - Akshay Kantak - Swapnil Chavan - Harish Singh.
PRISM-PROOF Phillip Hallam-Baker Comodo Group Inc.

PRISM-PROOF Phillip Hallam-Baker Comodo Group Inc.

Similar presentations

Ads by Google