1 / 11

SeGW Certificate profile (Revised)

S40-20090330-005 X50-20090330-0xx. 3GPP2 TSG-S WG4 /TSG-X WG5 (PDS). SeGW Certificate profile (Revised). Source: QUALCOMM Incorporated Contact(s): Anand Palanigounder ( apg@qualcomm.com ) Jun Wang ( jwang@qualcomm.com ) Recommendation: Discuss and adopt. Background.

santa
Download Presentation

SeGW Certificate profile (Revised)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. S40-20090330-005 X50-20090330-0xx 3GPP2 TSG-S WG4 /TSG-X WG5 (PDS) SeGW Certificate profile (Revised) Source: QUALCOMM IncorporatedContact(s): Anand Palanigounder (apg@qualcomm.com) Jun Wang (jwang@qualcomm.com) Recommendation: Discuss and adopt

  2. Background • At the last TSG-S WG4 meeting, we proposed SeGW certificate profile in S40-20090216-006 • In this contribution, we revise the profile • to align it with TS 33.210 (as this is used by 3GPP for H(e)NBs) rather than with TS 33.234 • update terminology • removed redundant requirements on the profile • We also propose to add an assumption that SeGW certificate is issued by operator trusted CAs

  3. Root CA Certificate SeGW Certificate SeGW Certificate issued using one level CA chain 1 Level CA Tree –Root CA issues certificate for SeGW signed using Root CA certificate. The Root CA certificate stored at the Femto AP is used to authenticate the SeGW using the SeGW certificate

  4. Root CA Certificate Sub-CA1 Certificate SeGW Certificate SeGW certificate issued using 2 level CA chain 2 Level CA Tree – Root CA issues Sub-CA (Sub-CA1) certificates signed using Root CA certificate to sub-CAs. Sub-CA1 in turn issues SeGW certificates signed using Sub-CA1certificate Femto AP must (at least) have either Sub-CA1 cert or the Root CA cert stored at the FAP. This stored Root CA or Sub-CA cert is used to authenticate the SeGW using the SeGW certificate

  5. Profile for SeGW certificate (1/3) • X.509 Certificates used for authentication of the SeGW by FAP shall be compliant to RFC 5280, RFC 4945 and meet the profile defined below • The signature algorithm shall be "sha256WithRSAEncryption”, and the RSA public key used for signing shall be at least 2048 bits.

  6. Profile for SeGW certificate (2/3) • The issuer name shall not be empty and shall identify the name of the issuer (as defined in RFC 5280 section 4.1.2.4) • The subject name may be empty in SeGW certificates and shall not be empty in CA certificates

  7. Profile for SeGW certificate (3/3) • The subject public key shall use algorithm "rsaEncryption" [RFC 4055], and the RSA public key value shall be at least 2048 bit RSA public key • The subjectAltName extension shall be present if this is a SeGW certificate, and should contain FQDN (if DNS is available) or IP address (if DNS is not available). However, use of FQDN is strongly recommended

  8. FAP processing requirements for SeGW certificates (1/2) • FAP IKEv2 certificate handling shall be compliant to RFC 4945 • FAP shall be able to support certificate paths containing up to four certificates (e.g. self-signed CA certificate, intermediate CA 1, intermediate CA 2, SeGW certificate) and may support longer path lengths • the intermediate CA certificates and the SeGW certificate are obtained from the IKEv2 CERT payload and the self-signed CA certificate is obtained from a FAP local store of trusted root certificates

  9. FAP processing requirements for SeGW certificates (2/2) • FAP shall only support GeneralizedTime encoding for validity time • FAP shall check the validity time, and reject certificates that are either not yet valid or are expired

  10. Proposal • Adopt the SeGW certificate profile requirements in this contribution for S.P0132-0

  11. References • RFC 5280; Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile ; obsoletes 3280 • RFC 4043, Internet X.509 Public Key Infrastructure, Permanent Identifier • RFC 4055, Additional RSA Algorithms and Identifiers • RFC 4945, The Internet IP Security PKI Profile of IKEv1/ISAKMP, IKEv2, and PKIX, August 2007

More Related