Fap certificate profile revised
This presentation is the property of its rightful owner.
Sponsored Links
1 / 11

FAP Certificate profile (Revised) PowerPoint PPT Presentation


  • 103 Views
  • Uploaded on
  • Presentation posted in: General

S40-20090330-006 X50-20090330-0xx. 3GPP2 TSG-S WG4 / TSG-X WG5 (PDS). FAP Certificate profile (Revised). Source: QUALCOMM Incorporated Contact(s): Anand Palanigounder ( [email protected] ) Jun Wang ( [email protected] ) Recommendation: Discuss and adopt. Background.

Download Presentation

FAP Certificate profile (Revised)

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Fap certificate profile revised

S40-20090330-006

X50-20090330-0xx

3GPP2 TSG-S WG4 / TSG-X WG5 (PDS)

FAP Certificate profile (Revised)

Source: QUALCOMM IncorporatedContact(s):

Anand Palanigounder ([email protected])

Jun Wang ([email protected])

Recommendation: Discuss and adopt


Background

Background

  • At the last TSG-S WG4 meeting, we proposed FAP certificate profile in S40-20090216-007

  • In this contribution, we revise the Femto AP (FAP) certificate profile

    • to align it with TS 33.210 (as this is used by 3GPP for H(e)NBs) rather than with TS 33.234

    • update terminology

    • removed redundant requirements on the profile

  • We also propose an assumption that the FAP certificates is issued by the FAP vendor


Fap certificate issued using one level ca chain

Root CA

(e.g., Femto Manufacturer CA)

FAP Certificate

FAP Certificate issued using one level CA chain

1 Level CA Tree –Root CA issues device certificate for FAP signed using

Root CA certificate.

The Root CA certificate must be stored at the SeGW and is used to authenticate the FAP using it’s device certificate


Fap certificate issued using two level ca chain

Root CA

(e.g., trusted 3rd party CA or Operator CA)

Sub-CA1

(e.g., Femto Manufacturer CA)

FAP Certificate

FAP certificate issued using two level CA chain

2 Level CA Tree –Root CA issues Sub-CA certificates signed using Root CA certificate. Sub-CA1 in turn issues FAP certificates signed using Sub-CA1 certificate

SeGW must (at least) have either Sub-CA1 cert or the Root CA cert stored at the SeGW. This stored CA cert is used to authenticate the FAP using the FAP cert


Profile for fap certificate 1 3

Profile for FAP certificate (1/3)

  • X.509 Certificates used for authentication of the FAP by SeGW shall be compliant to RFC 5280, RFC 4945 and meet the profile as defined below

    • The signature algorithm shall be "sha256WithRSAEncryption”, and the RSA public key used for signing shall be at least 2048 bits.


Profile for fap certificate 2 3

Profile for FAP certificate (2/3)

  • The issuer name shall not be empty and shall identify the name of the issuer (as defined in RFC 5280 section 4.1.2.4)

  • The subject public key shall use algorithm "rsaEncryption" [RFC 4055], and the RSA public key value shall be at least 2048 bit RSA public key


Profile for fap certificate 3 3

Profile for FAP certificate (3/3)

  • The subjectAltName extension shall be present for FAP certificate and shall contain FEID conforming to IEEE EUI-64 format identifying the IEEE Hardware address of the FAP as the first field in the FQDN format

    • E.g., FEID.vendor.com or FEID.femto;

    • NOTE: FEID only needs to be encoded in FQDN format and does not have to map to any real IP address


Segw processing requirements for fap certificates 1 2

SeGW processing requirements for FAP certificates (1/2)

  • FAP IKEv2 certificate handling shall be compliant to RFC 4945

  • FAP shall not send certificate paths containing more than four certificates

  • SeGW shall be able to support FAP certificate paths containing up to four certificates


Segw processing requirements for fap certificates 2 2

SeGW processing requirements for FAP certificates (2/2)

  • SeGW shall only support GeneralizedTime encoding for validity time

  • SeGW shall check the validity time, and reject certificates that are either not yet valid or are expired


Proposal

Proposal

  • Adopt the FAP certificate profile requirements into S.P0132-0


References

References

  • RFC 5280; Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile ; obsoletes 3280

  • RFC 4043, Internet X.509 Public Key Infrastructure, Permanent Identifier

  • RFC 4045, Additional RSA Algorithms and Identifiers

  • RFC 4945, The Internet IP Security PKI Profile of IKEv1/ISAKMP, IKEv2, and PKIX, August 2007


  • Login