1 / 7

Use of AIA for Attribute Certificates

Use of AIA for Attribute Certificates. d.w.chadwick@kent.ac.uk. Background. X.509 (2009) working on PMI interworking between domains Defining several new AC extensions for role mappings, attribute hierarchies etc. Needs an extension to point to the superior in a PMI delegation chain

tiva
Download Presentation

Use of AIA for Attribute Certificates

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Use of AIA for Attribute Certificates d.w.chadwick@kent.ac.uk

  2. Background • X.509 (2009) working on PMI interworking between domains • Defining several new AC extensions for role mappings, attribute hierarchies etc. • Needs an extension to point to the superior in a PMI delegation chain • AIA is the obvious choice, and this is being used by VOMS in the grid world • Last ITU-T meeting in Jeju (May 2006) issued a liaison statement to PKIX group asking if AIA can be used for ACs

  3. SOA Bill Verifying Claimed Privilege Bill’s Public Key Issues AC to Alice’s Public Key AA Alice Signs Root CA Issues AC to Bob’s Public Key Bob Holder Issues signed command to Checks delegation of privileges Checks all signatures Checks privilege is sufficient Privilege Verifier (RP)

  4. Two types of trust chain need to be followed from a presented AC • PKI chain of public key certificates from signer of an AC to a root CA (trust anchor) • Bob’s AC → Alice’s PKC → Root CA • PMI chain of attribute certificates from holder of an AC to Source of Authority (SoA) • Bob’s AC → Alice’s AC → Bill SoA

  5. Extensions to support trust chains • We can use Authority Key Identifier inside holder’s AC to point to PKC of AC issuer • AKI will point to Alice’s PKC, and off we go using existing PKI rules • We want to use Authority Information Access inside a holder’s AC to point to AC of AC issuer • AIA will point to Alice’s AC

  6. What are the problems with the latest AIA 3280bis-4 text? • Quote “The authority information access extension indicates how to access information and services for the issuer of the certificate in which the extension appears”  EXCELLENT • BUT • Quote “This extension may be included in end entity or CA certificates” • Q. Does this exclude ACs?? Stephen thinks not. • Quote “The id-ad-caIssuers OID is used when the additional information lists certificates that were issued to the CA that issued the certificate containing this extension” • Problem. The access method is specifically focussed on CA certificates and does not allow it to be used to point to ACs

  7. Resolution • Either • We define a new access method, id-ad-aaIssuers identical to the current one in syntax, but with a different name, OID and descriptive text • Or • We modify the existing access method by calling it id-ad-issuers and change the current text from • “The id-ad-caIssuers OID is used when the additional information lists certificates that were issued to the CA that issued the certificate containing this extension” to • “When the id-ad-issuers OID is used, the additional information lists certificates that were issued to the CA that issued the certificate containing this extension” • And change all occurrences of id-ad-caIssuers to id-ad-issuers • We can then write appropriate text for id-ad-issuers when it occurs in ACs

More Related