europki n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
EuroPKI PowerPoint Presentation
Download Presentation
EuroPKI

Loading in 2 Seconds...

  share
play fullscreen
1 / 24
mada

EuroPKI - PowerPoint PPT Presentation

184 Views
Download Presentation
EuroPKI
An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. EuroPKI • Antonio Lioy • < lioy @ polito.it > • Politecnico di Torino • Dip. Automatica e Informatica

  2. The Copernican revolution securee-mail secureremoteaccess secureWeb IPsecurity secureboot X.509certificate secureVPN Win2000security secureDNS no viruses& Trojan horses role-basedsecurity

  3. login filetransfer login DBMS SSH (univ.) pwd (univ.) web web S/MIME POP pwd (ISP) PKI (X) The actual (Ptolemaic) poor situation

  4. EuroPKI is a spontaneous aggregation of certification authorities that share the vision of setting-up a pan-European PKI to support the deployment of effective interoperable network security techniques. What is EuroPKI?

  5. Background • ICE-TEL project (1997-1998) • ICE-CAR project (1999-2000) • various national projects (1996-2000) • since January 1, 2000: EuroPKI

  6. EuroPKIAustria EuroPKISlovenia EuroPKI TLCA City ofRome CA Politecnico diTorino CA EETIC CA people servers EuroPKI EuroPKIItaly

  7. Costituency • root + • AT (IAIK) • IE (TCD) • IT (POLITO) • Italian tree, with 4 City Halls • integration with the Italian identity chip-card • SI (IJS) • Slovenian tree • UK (UCL)

  8. Prospective partners • there have been talks within the TERENA PKI-coord task force • expressions of interest from: • Surfnet (NL) • Rediris (ES) • Thessaloniki Univ. (GR) • Garr (IT)

  9. Why a hierarchy? • it’s the only solution that works • now • for most applications (especially COTS) • EuroPKI might move to other schemas (e.g., cross-certification, bridge) if and when applications will be available

  10. EuroPKI services • EuroPKI is not “selling” services although it provides: • certification • revocation • publication • data and cert validation • aggregation point for: • competence centre • coordination

  11. Certification • X.509v3 certificates • global CP (Certification Policy) • local CPS (Certification Practice Statement)

  12. Certification policy • current draft: • 28 pages • based on RFC-2527 (with extensions) • basic idea: • be as little restrictive as possible to allow anybody to join ... • ... while retaining a level of security useful for practical applications

  13. Strong CP requirements • personal identification of the subject • secure management of the CA • periodic publication of CRL

  14. Applications supported • Web: • SSL/TLS • signed applets • SSL-based applications: • telnet, FTP, SMTP, POP, IMAP, ... • e-mail and secure documents: • S/MIME, PKCS-7, CMS, … • IPsec (also on routers via SCEP) • (looking into secure DNS)

  15. Publication • certificates and CRLs • Web servers: • for humans • directory server: • for applications • LDAP (local) directories • X.500 (global) directory • X.521 schema

  16. Revocation • CRL (Certificate Revocation List) • cumulative list of revoked certificates • issued periodically • updated as needed • OCSP (On-Line Certificate Status Protocol): • “is this cert valid now?” • unknown, valid, invalid

  17. Time-stamping • proof of data existence at a given date • IETF-PKIX-TSP-draft-14 • TSP server (Win32, Unix) • TSP client (cmd-line, GUI only for Win32) TSP server

  18. CRL CRL OCSPserver OCSP • OCSP server (Unix, Win32) • automatic CRL collection from several Cas • OCSP library + cmd-line client (Unix, NT) OCSP(embedded)client

  19. SSL-x server LDAP, OCSP SSL-x client SSL-telnet, SSL-ftp • SSL channel • server authentication • client authentication can supplement or replace passwords • server for Unix and Win32 (FTP only) • client for Unix (cmd-line) and Win32 (GUI)

  20. Authentication or authorization? • most of the problems are trust-related • often this is due to the wrong and unnecessary coupling of authentication with authorization • we need to cut this node: • authenticate only once and globally • authorization on a local basis, with local control

  21. where shouldI put additionalinfos relatedto a certificate? Attributes / roles / permissions … inside the certificate, in orderto keep all data together in a directory, or in an attribute certificate

  22. Next steps • European digital signature law: • qualified certificates • voluntary accreditation • support for other EC projects: • NASTEC (PKI-based secure IS; PKI at least for Poland and Romania) • TESI (CDSA-based security middleware)

  23. On-going technical work • cleanly separate authentication and authorization (local file, LDAP, AC, …) • DNS as a repository, DNSsec • automatic policy negotiation (L3 … L7): • policy description (XML-based language) • policy negotiation (ISPP) • policy compliance (enforcement gateway) • integration with Win2000: • LDAP • IPsec • DNSsec

  24. Future • I have a dream ... • ... a pan-europeanopen and public PKIto enable network security • who is interested? EuroPKI?