Marco Casassa Mont: Pki overview

1,235 views

Published on

Marco Casassa Mont: Pki overview

Published in: Technology, Education
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,235
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Marco Casassa Mont: Pki overview

  1. 1. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)Public Key InfrastructurePublic Key Infrastructure(X509 PKI)(X509 PKI)Trusted E-Services Laboratory - HP Labs - BristolTrusted E-Services Laboratory - HP Labs - BristolMarco Casassa MontMarco Casassa Mont
  2. 2. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)OutlineOutline• Basic Problem of Confidence and TrustBasic Problem of Confidence and Trust• Background: Cryptography, Digital Signature,Background: Cryptography, Digital Signature,Digital CertificatesDigital Certificates• (X509) Public Key Infrastructure (PKI)(X509) Public Key Infrastructure (PKI)• (X509) PKI: Trust and Legal Issues(X509) PKI: Trust and Legal Issues
  3. 3. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)Confidence and TrustConfidence and TrustIssues in the DigitalIssues in the DigitalWorldWorld
  4. 4. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)Basic ProblemBasic ProblemIntranetIntranetExtranetExtranetInternetInternetAliceAliceBobBobBob and Alice want to exchange data in a digital world.Bob and Alice want to exchange data in a digital world.There are Confidence and Trust Issues …There are Confidence and Trust Issues …
  5. 5. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)ConfidenceConfidence and Trust Issuesand Trust Issues• In the Identity of an Individual or ApplicationIn the Identity of an Individual or ApplicationAUTHENTICATIONAUTHENTICATION• That the information will be kept PrivateThat the information will be kept PrivateCONFIDENTIALITYCONFIDENTIALITY• That information cannot be ManipulatedThat information cannot be ManipulatedINTEGRITYINTEGRITY• That information cannot be DisownedThat information cannot be DisownedNON-REPUDIATIONNON-REPUDIATIONIntranetIntranetExtranetExtranetInternetInternetAliceAliceBobBob
  6. 6. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)Starting Point:Starting Point:CryptographyCryptography
  7. 7. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)Starting Point: CryptographyStarting Point: CryptographyCryptographyCryptographyIt is the science of making the cost of acquiring or alteringIt is the science of making the cost of acquiring or alteringdata greater than the potential value gaineddata greater than the potential value gainedCryptosystemCryptosystemIt is a system that provides techniques for mangling aIt is a system that provides techniques for mangling amessage into an apparently intelligible form and thanmessage into an apparently intelligible form and thanrecovering it from the mangled formrecovering it from the mangled formPlaintextPlaintext EncryptionEncryption DecryptionDecryption PlaintextPlaintextCiphertextCiphertextKeyKey KeyKeyHello WorldHello World &$*£(“!273&$*£(“!273 Hello WorldHello World
  8. 8. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)Cryptographic AlgorithmsCryptographic AlgorithmsAll cryptosystems are based only onAll cryptosystems are based only on three Cryptographicthree CryptographicAlgorithmsAlgorithms::• MESSAGE DIGESTMESSAGE DIGEST (MD2-4-5, SHA, SHA-1, …)(MD2-4-5, SHA, SHA-1, …)• SECRET KEYSECRET KEY (Blowfish, DES, IDEA, RC2-4-5, Triple-DES, …)(Blowfish, DES, IDEA, RC2-4-5, Triple-DES, …)• PUBLIC KEYPUBLIC KEY (DSA, RSA, …)(DSA, RSA, …)Maps variable length plaintext into fixed length ciphertextMaps variable length plaintext into fixed length ciphertextNo key usage, computationally infeasible to recover the plaintextNo key usage, computationally infeasible to recover the plaintextEncrypt and decrypt messages by using the same Secret KeyEncrypt and decrypt messages by using the same Secret KeyEncrypt and decrypt messages by using two different Keys: Public Key,Encrypt and decrypt messages by using two different Keys: Public Key,Private Key (coupled together)Private Key (coupled together)
  9. 9. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)• Efficient and fast AlgorithmEfficient and fast Algorithm• Simple modelSimple model Provides Integrity, ConfidentialityProvides Integrity, ConfidentialityConsCons• The same secret key must be shared by all the entities involved in the data exchangeThe same secret key must be shared by all the entities involved in the data exchange• High riskHigh risk• It doesn’t scaleIt doesn’t scale (proliferation of secrets)(proliferation of secrets) No Authentication, Non-RepudiationNo Authentication, Non-RepudiationPlaintextPlaintext EncryptionEncryption DecryptionDecryption PlaintextPlaintextCiphertextCiphertextPrivate KeyPrivate Key Private KeyPrivate KeyProsProsCryptographic Algorithms basedCryptographic Algorithms basedon Private Keyon Private Key
  10. 10. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)PlaintextPlaintext EncryptionEncryption DecryptionDecryption PlaintextPlaintextCiphertextCiphertextAlice’s Public KeyAlice’s Public Key Alice’s Private KeyAlice’s Private KeyIntranetIntranetExtranetExtranetInternetInternetAliceAliceBobBob• Private key is only known by the owner: less riskPrivate key is only known by the owner: less risk• The algorithm ensuresThe algorithm ensures IntegrityIntegrity andand ConfidentialityConfidentiality by encrypting withby encrypting withthe Receiver’s Public keythe Receiver’s Public keyProsProsCryptographic Algorithms basedCryptographic Algorithms basedon Public Keyon Public Key
  11. 11. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)PlaintextPlaintext EncryptionEncryption DecryptionDecryption PlaintextPlaintextCiphertextCiphertextBob’s Private KeyBob’s Private Key Bob’s Public KeyBob’s Public KeyIntranetIntranetExtranetExtranetInternetInternetAliceAliceBobBob• The algorithm ensuresThe algorithm ensures Non-RepudiationNon-Repudiation by encrypting withby encrypting withthe Sender’s Private keythe Sender’s Private keyProsProsCryptographic Algorithms basedCryptographic Algorithms basedon Public Keyon Public Key
  12. 12. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)Cryptographic Algorithms basedCryptographic Algorithms basedon Public Keyon Public KeyConsCons• Algorithms are 100 – 1000 times slower than secret key onesAlgorithms are 100 – 1000 times slower than secret key onesThey are initially used in an initial phase of communication and thenThey are initially used in an initial phase of communication and thensecrets keys are generated to deal with encryptionssecrets keys are generated to deal with encryptions• How are Public keys made available to the other people?How are Public keys made available to the other people?• There is still a problem ofThere is still a problem of AuthenticationAuthentication!!!!!!Who ensures that the owner of a key pair is really the person whoseWho ensures that the owner of a key pair is really the person whosereal life name is “Alice”?real life name is “Alice”?IntranetIntranetExtranetExtranetInternetInternetAliceAliceBobBobMoving towards PKI …Moving towards PKI …
  13. 13. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)Digital SignatureDigital Signature
  14. 14. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)Digital SignatureDigital SignatureA Digital Signature is a data item that vouches the originA Digital Signature is a data item that vouches the originand the integrity of a Messageand the integrity of a Message• The originator of a message uses a signing key (Private Key) to sign theThe originator of a message uses a signing key (Private Key) to sign themessage and send the message and its digital signature to a recipientmessage and send the message and its digital signature to a recipient• The recipient uses a verification key (Public Key) to verify the origin ofThe recipient uses a verification key (Public Key) to verify the origin ofthe message and that it has not been tampered with while in transitthe message and that it has not been tampered with while in transitIntranetIntranetExtranetExtranetInternetInternetAliceAliceBobBob
  15. 15. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)Digital SignatureDigital SignatureHash FunctionHash FunctionMessageMessageSignatureSignaturePrivate KeyPrivate Key EncryptionEncryptionDigestDigestMessageMessageDecryptionDecryptionPublic KeyPublic KeyExpectedExpectedDigestDigestActualActualDigestDigestHash FunctionHash FunctionSignerSigner ReceiverReceiverChannelChannelDigestDigestAlgorithmAlgorithmDigestDigestAlgorithmAlgorithm
  16. 16. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)Digital SignatureDigital SignatureThere is still a problem linked to theThere is still a problem linked to the““Real Identity”Real Identity” of the Signer.of the Signer.Why should I trust what the Sender claims to be?Why should I trust what the Sender claims to be?Moving towards PKI …Moving towards PKI …
  17. 17. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)Digital CertificateDigital Certificate
  18. 18. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)Digital CertificateDigital CertificateA Digital Certificate is a binding between an entity’sA Digital Certificate is a binding between an entity’sPublic Key and one or more Attributes relating its Identity.Public Key and one or more Attributes relating its Identity.• The entity can be a Person, an Hardware Component, a Service, etc.The entity can be a Person, an Hardware Component, a Service, etc.• A Digital Certificate is issued (and signed) by someoneA Digital Certificate is issued (and signed) by someone• A self-signed certificate usually is not very trustworthyA self-signed certificate usually is not very trustworthy-- Usually the issuer is a Trusted Third PartyUsually the issuer is a Trusted Third Party
  19. 19. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)CERTIFICATEDigital CertificateDigital CertificateIssuerIssuerSubjectSubjectIssuerIssuerDigitalDigitalSignatureSignatureSubject Public KeySubject Public Key
  20. 20. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)Digital CertificateDigital Certificate• How are Digital Certificates Issued?How are Digital Certificates Issued?• Who is issuing them?Who is issuing them?• Why should I Trust the Certificate Issuer?Why should I Trust the Certificate Issuer?• How can I check if a Certificate is valid?How can I check if a Certificate is valid?• How can I revoke a Certificate?How can I revoke a Certificate?• Who is revoking Certificates?Who is revoking Certificates?ProblemsProblemsMoving towards PKI …Moving towards PKI …
  21. 21. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)Public Key InfrastructurePublic Key Infrastructure(PKI)(PKI)
  22. 22. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)Public Key InfrastructurePublic Key Infrastructure(PKI)(PKI)A Public Key Infrastructure is an InfrastructureA Public Key Infrastructure is an Infrastructureto support and manage Public Key-basedto support and manage Public Key-basedDigital CertificatesDigital Certificates
  23. 23. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)Public Key InfrastructurePublic Key Infrastructure(PKI)(PKI)““A PKI is a set of agreed-upon standards, CertificationA PKI is a set of agreed-upon standards, CertificationAuthorities (CA), structure between multiple CAs,Authorities (CA), structure between multiple CAs,methods to discover and validate Certification Paths,methods to discover and validate Certification Paths,Operational Protocols, Management Protocols,Operational Protocols, Management Protocols,Interoperable Tools and supporting Legislation”Interoperable Tools and supporting Legislation”““Digital Certificates” book – Jalal Feghhi, Jalil Feghhi, Peter WilliamsDigital Certificates” book – Jalal Feghhi, Jalil Feghhi, Peter Williams
  24. 24. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)Public Key InfrastructurePublic Key Infrastructure(PKI)(PKI)Focus on:Focus on:• X509 PKIX509 PKI• X509 Digital CertificatesX509 Digital Certificates Standards defined by IETF, PKIX WG:Standards defined by IETF, PKIX WG:http://www.ietf.org/http://www.ietf.org/…… even if X509 is not the only approach (e.g. SPKI)even if X509 is not the only approach (e.g. SPKI)
  25. 25. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)X509 PKI – Technical ViewX509 PKI – Technical ViewBasic Components:Basic Components:• Certificate Authority (CA)Certificate Authority (CA)• Registration Authority (RA)Registration Authority (RA)• Certificate Distribution SystemCertificate Distribution System• PKI enabled applicationsPKI enabled applications““Consumer” SideConsumer” Side““Provider” SideProvider” Side
  26. 26. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)X509 PKI – Simple ModelX509 PKI – Simple ModelCACARARACertificationCertificationEntityEntityDirectoryDirectoryApplicationApplicationServiceServiceRemoteRemotePersonPersonLocalLocalPersonPersonCerts,Certs,CRLsCRLsCert. RequestCert. RequestSignedSignedCertificateCertificateInternetInternet
  27. 27. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)X509 PKIX509 PKICertificate Authority (CA)Certificate Authority (CA)Basic Tasks:Basic Tasks:• Key GenerationKey Generation• Digital Certificate GenerationDigital Certificate Generation• Certificate Issuance and DistributionCertificate Issuance and Distribution• RevocationRevocation• Key Backup and Recovery SystemKey Backup and Recovery System• Cross-CertificationCross-Certification
  28. 28. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)X509 PKIX509 PKIRegistration Authority (RA)Registration Authority (RA)Basic Tasks:Basic Tasks:• Registration of Certificate InformationRegistration of Certificate Information• Face-to-Face RegistrationFace-to-Face Registration• Remote RegistrationRemote Registration• Automatic RegistrationAutomatic Registration• RevocationRevocation
  29. 29. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)X509 PKIX509 PKICertificate Distribution SystemCertificate Distribution SystemProvide Repository for:Provide Repository for:• Digital CertificatesDigital Certificates• Certificate Revocation Lists (CRLs)Certificate Revocation Lists (CRLs)Typically:Typically:• Special Purposes DatabasesSpecial Purposes Databases• LDAP directoriesLDAP directories
  30. 30. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)Certificate Revocation ListRevoked CertificatesRevoked Certificatesremain in CRLremain in CRLuntil they expireuntil they expireCertificate Revocation ListCertificate Revocation List
  31. 31. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)Certificate Revocation List (CRL)Certificate Revocation List (CRL)• CRLs are published by CAs at well definedCRLs are published by CAs at well definedinterval of timeinterval of time• It is a responsibility of “Users” of certificates toIt is a responsibility of “Users” of certificates to““download” a CRL and verify if a certificate hasdownload” a CRL and verify if a certificate hasbeen revokedbeen revoked• User application must deal with the revocationUser application must deal with the revocationprocessesprocesses
  32. 32. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)Online Certificate Status ProtocolOnline Certificate Status Protocol(OCSP)(OCSP)• An alternative to CRLsAn alternative to CRLs• IETF/PKIX standard for a real-time check if aIETF/PKIX standard for a real-time check if acertificate has been revoked/suspendedcertificate has been revoked/suspended• Requires a high availability OCSP ServerRequires a high availability OCSP Server
  33. 33. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)CRL vs OCSP ServerCRL vs OCSP ServerUserUser CACACRLCRLDirectoryDirectoryDownload CRLDownload CRLCRLCRLUserUser CACACRLCRLDirectoryDirectoryDownloadDownloadCRLCRLCertificate IDsCertificate IDsto be checkedto be checkedAnswer aboutAnswer aboutCertificate StatesCertificate StatesOCSPOCSPServerServerOCSPOCSP
  34. 34. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)X509 PKIX509 PKIPKI-enabled ApplicationsPKI-enabled ApplicationsFunctionality Required:Functionality Required:• Cryptographic functionalityCryptographic functionality• Secure storage of Personal InformationSecure storage of Personal Information• Digital Certificate HandlingDigital Certificate Handling• Directory AccessDirectory Access• Communication FacilitiesCommunication Facilities
  35. 35. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)X509 PKIX509 PKITrust and Legal IssuesTrust and Legal Issues
  36. 36. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)X509 PKIX509 PKITrust and Legal IssuesTrust and Legal Issues• Why should I Trust a CA?Why should I Trust a CA?• How can I determine the liability of a CA?How can I determine the liability of a CA?
  37. 37. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)X509 PKIX509 PKIApproaches to Trust andApproaches to Trust andLegal AspectsLegal Aspects• Why should I Trust a CA?Why should I Trust a CA?• How can I determine the liability of a CA?How can I determine the liability of a CA?Certificate Hierarchies, Cross-CertificationCertificate Hierarchies, Cross-CertificationCertificate Policies (CP) and Certificate PolicyCertificate Policies (CP) and Certificate PolicyStatement (CPS)Statement (CPS)
  38. 38. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)X509 PKIX509 PKIApproach to TrustApproach to TrustCertificate HierarchiesCertificate HierarchiesandandCross-CertificationCross-Certification
  39. 39. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)Try to reflectTry to reflectReal world Trust ModelsReal world Trust ModelsCA CACARA RACARALRALRACACARACACARA RADirectoryServicesInternetInternetInternetInternetCA Technology EvolutionCA Technology Evolution
  40. 40. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)Each entity has its own certificate (and mayhave more than one). The root CA’s certificateis self signed and each sub-CA is signed by itsparent CA.Each CA may also issue CRLs. In particularthe lowest level CAs issue CRLs frequently.End entities need to “find” a certificate path toa CA that they trust.Simple Certificate HierarchySimple Certificate HierarchyRoot CARoot CASub-CAsSub-CAsEnd EntitiesEnd Entities
  41. 41. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)Alice BobSimple Certificate PathSimple Certificate PathAlice trusts the root CAAlice trusts the root CABob sends a message to AliceBob sends a message to AliceAlice needs Bob’s certificate, the certificate ofAlice needs Bob’s certificate, the certificate ofthe CA that signed Bob’s certificate, and so onthe CA that signed Bob’s certificate, and so onup to the root CA’s self signed certificate.up to the root CA’s self signed certificate.Alice also needs each CRL for each CA.Alice also needs each CRL for each CA.Only then can Alice verify that Bob’s certificateOnly then can Alice verify that Bob’s certificateis valid and trusted and so verify the Bob’sis valid and trusted and so verify the Bob’ssignature.signature.TrustedTrustedRootRoot
  42. 42. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)1122 331.1. Multiple RootsMultiple Roots2.2. Simple cross-certificateSimple cross-certificate3.3. Complex cross-certificateComplex cross-certificateCross-Certification andCross-Certification andMultiple HierarchiesMultiple Hierarchies
  43. 43. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)Things are getting more and moreThings are getting more and morecomplex if Hierarchies andcomplex if Hierarchies andCross-Certifications are usedCross-Certifications are usedX509 PKIX509 PKIApproach to Trust : ProblemsApproach to Trust : Problems
  44. 44. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)TrustedRoot3TrustedTrustedRootRootCross-Certification andCross-Certification andPath DiscoveryPath Discovery
  45. 45. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)X509 PKIX509 PKIApproach to Legal AspectsApproach to Legal AspectsCertificate PolicyCertificate PolicyAndAndCertificate Practice StatementCertificate Practice Statement
  46. 46. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)Certificate Policy (CP)Certificate Policy (CP)• A document that sets out the rights, duties andA document that sets out the rights, duties andobligations of each party in a Public Keyobligations of each party in a Public KeyInfrastructureInfrastructure• The Certificate Policy (CP) is a document whichThe Certificate Policy (CP) is a document whichusually has legal effectusually has legal effect• A CP is usually publicly exposed by CAs, forA CP is usually publicly exposed by CAs, forexample on a Web Site (VeriSign, etc.)example on a Web Site (VeriSign, etc.)
  47. 47. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)Certificate Policy (CP)Certificate Policy (CP)POLICY OUTLINEPOLICY OUTLINECOMMUNITY &COMMUNITY &APPLICABILITYAPPLICABILITYRIGHTS, LIABILITIESRIGHTS, LIABILITIES& OBLIGATIONS& OBLIGATIONSOPERATIONALOPERATIONALREQUIREMENTSREQUIREMENTSCERTIFICATE &CERTIFICATE &CRL PROFILESCRL PROFILESIDENTIFICATION &IDENTIFICATION &AUTHENTICATIONAUTHENTICATIONCPCPTECHNICALTECHNICALSECURITY CONTROLSECURITY CONTROL
  48. 48. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)• Liability IssuesLiability Issues• Repository Access ControlsRepository Access Controls• Confidentiality RequirementsConfidentiality Requirements• Registration ProceduresRegistration Procedures- Uniqueness of Names- Authentication of Users/Organisations• Suspension and Revocation (Online/CRL)Suspension and Revocation (Online/CRL)• Physical Security ControlsPhysical Security Controls• Certificate AcceptanceCertificate AcceptancePolicy Issues (CP)Policy Issues (CP)
  49. 49. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)Certificate Policy StatementCertificate Policy Statement(CPS)(CPS)• A document that sets out what happens in practiceA document that sets out what happens in practiceto support the policy statements made in the CPto support the policy statements made in the CPin a PKIin a PKI• The Certificate Practice Statement (CPS) is aThe Certificate Practice Statement (CPS) is adocument which may have legal effect in limiteddocument which may have legal effect in limitedcircumstancescircumstances
  50. 50. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)PHYSICAL,PHYSICAL,PROCEDURAL &PROCEDURAL &PERSONNELPERSONNELCERTIFICATE &CERTIFICATE &CRL PROFILESCRL PROFILESINTRODUCTIONINTRODUCTIONGENERALGENERALPROVISIONSPROVISIONSIDENTIFICATION &IDENTIFICATION &AUTHENTICATIONAUTHENTICATIONOPERATIONALOPERATIONALREQUIREMENTSREQUIREMENTSSPECIFICATIONSPECIFICATIONADMINISTRATIONADMINISTRATIONTECHNICALTECHNICALSECURITYSECURITYCONTROLSCONTROLSCPSCPSCertificate Policy StatementCertificate Policy Statement(CPS)(CPS)
  51. 51. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)IETF (PKIX) StandardsIETF (PKIX) Standards• X.509 Certificate and CRL Profiles• PKI Management Protocols• Certificate Request Formats• CP/CPS Framework• LDAP, OCSP, etc.http://www.ietf.org/http://www.ietf.org/
  52. 52. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)Identity is Not Enough:Identity is Not Enough:Attribute CertificatesAttribute CertificatesIETF (PKIX WG) is also defining standards for AttributeIETF (PKIX WG) is also defining standards for AttributeCertificates (ACs):Certificates (ACs):• Visa Card (Attribute) vs. Passport (Identity)Visa Card (Attribute) vs. Passport (Identity)• Attribute Certificates specify Attributes associatedAttribute Certificates specify Attributes associatedto an Identityto an Identity• Attribute Certificates don’t contain a Public keyAttribute Certificates don’t contain a Public keybut a link to an Identity Certificatebut a link to an Identity Certificate

×