1 / 19

Certificate Policy Equivalence in Cross-Certification

Explore various cross-certification models and certificate policy harmonization for seamless PKI interoperability.

meredith-horne
Download Presentation

Certificate Policy Equivalence in Cross-Certification

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Determining Equivalence between Certificate Policies for Purposes of Cross-Certification Jimmy C. Tseng Assistant Professor of Electronic Commerce Rotterdam School of Management Erasmus University Rotterdam Tel: +31-10-408-2854 Fax: +31-10-408-9010 Email: jtseng@fbk.eur.nl

  2. I. Cross-certification • The certification of one CA by another in order for a verifier to construct and verify certification paths across PKI domains • Construction of certification paths • Level of directory support • Scalability across organisations • Harmonise certificate policies TERENA PKI-COORD Meeting, Amsterdam, 26 Nov, 2001

  3. Sub-ordinated Hierarchies • Top-down from Root CA • Simple path construction • Low directory dependency • Weak scalability across organisations TERENA PKI-COORD Meeting, Amsterdam, 26 Nov, 2001

  4. Cross-certified meshes • Pair-wise between CAs • Difficult path construction • High directory dependency • Medium scalability across organisations TERENA PKI-COORD Meeting, Amsterdam, 26 Nov, 2001

  5. Hybrid model • Top-down or pair-wise • Multiple paths may exist, but simple path known • Moderate directory dependency • Medium scalability across organisations TERENA PKI-COORD Meeting, Amsterdam, 26 Nov, 2001

  6. Bridge CA • Pairwise with Bridge CA • Simple, all non-local paths traverse bridge • Medium directory dependency • Scaleable across organisations TERENA PKI-COORD Meeting, Amsterdam, 26 Nov, 2001

  7. Trust list • Recognition by verifiers • Simple but limited to paths that begin within the trust list • Low directory dependency • Fair scalability, requires intensive management TERENA PKI-COORD Meeting, Amsterdam, 26 Nov, 2001

  8. II. Certificate Policy • CP defines “applicability of a certificate to a particular community and/or class of application with common security requirements” • CP used by “certificate users to decide whether or not to trust a certificate for a particular purpose” • “Any one certificate will typically declare a single certificate policy or, possibly, be issued consistent with a small number of different policies.” – RFC2527 TERENA PKI-COORD Meeting, Amsterdam, 26 Nov, 2001

  9. Object Identifiers • “A certificate policy, which needs to be recognized by both the issuer and user of a certificate, is represented in a certificate by a unique, registered Object Identifier. The registration process follows the procedures specified in ISO/IEC and ITU standards.” – RFC2527 TERENA PKI-COORD Meeting, Amsterdam, 26 Nov, 2001

  10. Looking up a Certificate Policy • Currently no standard means of looking up an OID • How to use OIDs to represent different policy dimensions? • “The party that registers the Object Identifier also publishes a textual specification of the certificate policy, for examination by certificate users.” • Is the certificate user forced to revert back to the CPS? TERENA PKI-COORD Meeting, Amsterdam, 26 Nov, 2001

  11. Domain A Domain B (3) CA A CA B (2) Application A Application B (1) (1) Trust Entity A Entity B III. PKI Interoperation • Component-level Interoperation (standards) • Application-level Interoperation (cross platform compatibility) • Inter-domain Interoperation (harmonise certificate policies) TERENA PKI-COORD Meeting, Amsterdam, 26 Nov, 2001

  12. PKI Interdomain Interoperation • Interworking of CAs across different administrative and trust domains • Requires common or equivalent certificate policies (CP) and certification practices (CPS) • Harmonising CP and CPS are fraught with difficulties (e.g. cross-certification, policy constraints, certificate path validation) • CAs operate from different jurisdictions TERENA PKI-COORD Meeting, Amsterdam, 26 Nov, 2001

  13. IV. The Fiducia Project • Modelling the risks in interoperable public key infrastructures • Working Together • Spreading Trust • Securing Value

  14. Contractual arrangements Interoperability CA A CA B Agreement CPS A CPS B Subscriber Subscriber Agreement B Agreement A Subject B Good and services Subject A RP A Payment Goverance Structure Relying Party Agreement A Modelling Contractual Risk in PKI Relationships • Modelling Business Risk in Electronic Transacting • Modelling Contractual Obligations and Liability in PKI • Non-legislative standards governing provision and use of PKI TERENA PKI-COORD Meeting, Amsterdam, 26 Nov, 2001

  15. CA Database • Database of 110 public facing CAs from 33 countries in 16 languages TERENA PKI-COORD Meeting, Amsterdam, 26 Nov, 2001

  16. CPS Database • Full-text collection of CPs and CPSs TERENA PKI-COORD Meeting, Amsterdam, 26 Nov, 2001

  17. Model Framework Legislation CPS1 CPS2 CPS3 Coding scheme Specification language Semantic Schema - entities and rules Semantic elements Substantive rules Procedural rules Support for retrieval, query, and modelling Legal Analysis • Legal and Semantic Analysis • Clarifying Roles, Obligations and Liabilities of all parties in PKI TERENA PKI-COORD Meeting, Amsterdam, 26 Nov, 2001

  18. TTP # CA# RA# IA# vets State# Digital Certificate # (subscriber certificate) (verified subject) Issued to (certificate holder) Subject# Person# Corporate# Server# contains assigned (public key) cryptographic key# pair# (private key) Semantic Analysis • Ontology of affordances (possible behaviours) • Norms (that trigger actual behaviours) TERENA PKI-COORD Meeting, Amsterdam, 26 Nov, 2001

  19. Tools for Determining Equivalence between Certificate Policies • From certificate path validation to determining certificate policy equivalence • Textual database of certificate policy dimensions • Specification of similarities and differences across certificate policy dimensions • Basis for policy mapping and cross-certification TERENA PKI-COORD Meeting, Amsterdam, 26 Nov, 2001

More Related