slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
E-certification: State of the Art & Prospects PowerPoint Presentation
Download Presentation
E-certification: State of the Art & Prospects

Loading in 2 Seconds...

  share
play fullscreen
1 / 9
oya

E-certification: State of the Art & Prospects - PowerPoint PPT Presentation

77 Views
Download Presentation
E-certification: State of the Art & Prospects
An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. E-certification: State of the Art & Prospects Dr. Stephen Kent Co-chair: PKIX WG – IETF VP & Chief Scientist - Information Security BBN Technologies

  2. Digital Signature Uses • Authentication • Input to authorization decisions • Identify attributes need to be aligned to access control requirement • Application specific • Context specific • Non-repudiation • Used for dispute resolution • Needs ancillary functions • Time stamping, archiving, …

  3. Major IETF PKI Standards • PKIX • Certificate & CRL profile • Server-based Certificate Validation Protocol (SCVP) • Online Certificate Status Protocol (OCSP) • Time Stamp Protocols • PKI Certificate Policy & Certification Practice Statements (CP & CPS) • LTANS • Evidence Record Syntax (ERS)

  4. The One Certificate Fallacy • Individuals have multiple identities, each appropriate and meaningful in a different, often limited context • Unless these identities are embedded in certificates, each RP has to map a certificate subject name to the locally meaningful ID for authorization • This mapping requires another “registration” activity, which is what a CA/RA does • Each mapping database represents an opportunity to introduce additional authorization errors • If each relying party has to execute this activity for each user, a single identity certificate doesn’t help

  5. Using a National ID Certificate • Forget the one user one certificate model • Due to authorization problems • For privacy reasons • But, an identity certificate issued by a national authority is valuable • It provides a reference for domain-specific ID certificate issuance, cutting costs • Domain-specific certificates preserve privacy, reduce fallout if a mapping error is made

  6. Ongoing IETF PKI Work • PKIX • Certificate Image • Trust Anchor Management Protocol • LTANS • XML Evidence Record Syntax • SIDR • Resource certificate & CRL profile • Certificate Policy for the Resource PKI • Compound Trust Anchor format

  7. Resource PKI • A global PKI for authorization • Attests to resource (IP address space & autonomous system number) holdings • Regional Internet Registries (RIRs) and ISPs as Certification Authorities • No meaningful IDs in certificates! • RIRs & IANA have agreed to acts as CAs • Cisco & Juniper have (lab) code for 1st stage deployment

  8. RPKI Example IANA ARIN APNIC RIPE AfriINIC LACNIC Unallocated addresses Reserved addresses ISPX ISPY ISPZ SUBL SUBL SUBK SUBL

  9. Anhinga