Some Technical Issues in PKI Deployment David Chadwick [email protected].

8
Some Technical Issues in PKI Deployment David Chadwick [email protected] k

Transcript of Some Technical Issues in PKI Deployment David Chadwick [email protected].

Page 1: Some Technical Issues in PKI Deployment David Chadwick d.w.chadwick@salford.ac.uk.

Some Technical Issues in PKI Deployment

David Chadwick

[email protected]

Page 2: Some Technical Issues in PKI Deployment David Chadwick d.w.chadwick@salford.ac.uk.

Certificate Extensions• X.509v3 certificates hold a set of extensions• Each extension is uniquely identified by a globally

unique number (object identirfier)• Every organisation possesses its own OID, so can

define their own extensions– Netscape extensions, Microsoft extensions, Entrust

extensions, Baltimore extensions, Your very own extensions

• Therefore certificates are infinitely extensible, which can cause interoperability problems

Page 3: Some Technical Issues in PKI Deployment David Chadwick d.w.chadwick@salford.ac.uk.
Page 4: Some Technical Issues in PKI Deployment David Chadwick d.w.chadwick@salford.ac.uk.

Certificate Profiles

• These try to limit the extensions that are allowed in certificates– e.g. PKIX profile specified in RFC2459

• But the profiles themselves offer many options e.g.– one key pair, two key pair or three key pair– one policy or more– any algorithm, e.g. DSA, RSA or elliptic curve

Page 5: Some Technical Issues in PKI Deployment David Chadwick d.w.chadwick@salford.ac.uk.

Key Lifecycles• Key Generation

– by the CA or the user?

• Initial Certification– What protocol? CMP or CMS(PKCS#7)

• Storage of Private Keys– Where? hardware or software. Software is a problem in a

university environment– Portability between applications– Portability of hardware devices e.g. smart cards

• Revocation of Public Key Certificates– How, and by whom. Automatic, manual, authentication etc.

Page 6: Some Technical Issues in PKI Deployment David Chadwick d.w.chadwick@salford.ac.uk.

Key Lifecycles (cont)• Publication of Certificates and CRLs

– Using LDAP, FTP or the Web?

– Retrieval issues - how to select the right certificate

• Key Update/Roll over– User keys, manual or automatic

– Root CA keys, and migration of users

• Key Backup– Do we want it or not? For decryption probably yes, for signing definitely

NO

• Key Archive– For non-repudiation purposes

Page 7: Some Technical Issues in PKI Deployment David Chadwick d.w.chadwick@salford.ac.uk.

Problems with Use of LDAP• Cannot search for particular certificates or CRLs

– Create separate attributes and Search for them– Retrieve the certificates from the same entry and hope they are the ones you

want

• Cannot retrieve particular certificates or CRLs– Create separate attribute types e.g. encCertificate, userCertificate– Create separate entries e.g. CN=David Chadwick (Enc)– Create separate subtrees e.g.OU=Encryption– Create child entries holding different certificates

• LDAP is poor at supporting distributed directories– Causes problems for multiple CA interworking

Page 8: Some Technical Issues in PKI Deployment David Chadwick d.w.chadwick@salford.ac.uk.

Certification Infrastructures - Which Type?

• Hierarchy, with a root of trust e.g. Identrus, EuroPKI

• Cross certification between peer CAs or hierarchies - technical and legal issues

• Bridge CA - that is a central point for cross certification, sets policy, is a bridge of trust


7 October 1998© 1998 University of Salford1 Intelligent Computation of Trust David W Chadwick d.w.chadwick@iti.salford.ac.uk.

7 October 1998© 1998 University of Salford1 Intelligent Computation of Trust David W Chadwick [email protected].

Case Bsc Chadwick

Case Bsc Chadwick

Keith Chadwick Resume

Keith Chadwick Resume

Sally Donaldson, Lecturer s.donaldson1@salford.ac.uk James ... · Sally Donaldson, Lecturer s.donaldson1@salford.ac.uk James Pegg, Lecturer j.d.pegg@salford.ac.uk Salfordfashiondesign.com

Sally Donaldson, Lecturer [email protected] James ... · Sally Donaldson, Lecturer [email protected] James Pegg, Lecturer [email protected] Salfordfashiondesign.com

Creative Hive Alex Fenton - a.fenton@salford.ac.uk

Creative Hive Alex Fenton - [email protected]

Metrics and Monitoring on FermiGrid Keith Chadwick Fermilab chadwick@fnal.gov.

Metrics and Monitoring on FermiGrid Keith Chadwick Fermilab [email protected].

Goal Setting The Florence Chadwick story. Florence Chadwick, swimmer.

Goal Setting The Florence Chadwick story. Florence Chadwick, swimmer.

Chadwick MD Case - Picus Odden & Associatespicusodden.com/wp-content/uploads/2013/09/Chadwick-MD-Case.pdf · Chadwick Elementary School: Case of a Maryland Improving School Prepared

Chadwick MD Case - Picus Odden & Associatespicusodden.com/wp-content/uploads/2013/09/Chadwick-MD-Case.pdf · Chadwick Elementary School: Case of a Maryland Improving School Prepared

15 May 2001© 2001 University of Salford1 Deficiencies in LDAP when used to support Public Key Infrastructures David W Chadwick d.w.chadwick@salford.ac.uk.

15 May 2001© 2001 University of Salford1 Deficiencies in LDAP when used to support Public Key Infrastructures David W Chadwick [email protected].

Life of Chadwick Magazine

Life of Chadwick Magazine

Chadwick Beauty Portfolio

Chadwick Beauty Portfolio

CHADWICK SCHOOL

CHADWICK SCHOOL

Kasus Chadwick Solution

Kasus Chadwick Solution

Chadwick 2009 Bb

Chadwick 2009 Bb

Chadwick-BaRoss 80th Anniversary

Chadwick-BaRoss 80th Anniversary

Chadwick 2009 x

Chadwick 2009 x

Chadwick 2011 h

Chadwick 2011 h

8400K - J Chadwick Cojchadwickco.com › images › 8400k › 8400KManual.pdfJohn Chadwick Corporation DBA J Chadwick Co warrants the 8400K Digital Optical Micrometer Kit, herein referred

8400K - J Chadwick Cojchadwickco.com › images › 8400k › 8400KManual.pdfJohn Chadwick Corporation DBA J Chadwick Co warrants the 8400K Digital Optical Micrometer Kit, herein referred

Thomas Chadwick: Overview

Thomas Chadwick: Overview

Keith Chadwick Fermilab chadwick@fnal

Keith Chadwick Fermilab chadwick@fnal