Some Technical Issues in PKI Deployment David Chadwick [email protected].
-
Upload
gwendoline-sims -
Category
Documents
-
view
214 -
download
2
Transcript of Some Technical Issues in PKI Deployment David Chadwick [email protected].
Certificate Extensions• X.509v3 certificates hold a set of extensions• Each extension is uniquely identified by a globally
unique number (object identirfier)• Every organisation possesses its own OID, so can
define their own extensions– Netscape extensions, Microsoft extensions, Entrust
extensions, Baltimore extensions, Your very own extensions
• Therefore certificates are infinitely extensible, which can cause interoperability problems
Certificate Profiles
• These try to limit the extensions that are allowed in certificates– e.g. PKIX profile specified in RFC2459
• But the profiles themselves offer many options e.g.– one key pair, two key pair or three key pair– one policy or more– any algorithm, e.g. DSA, RSA or elliptic curve
Key Lifecycles• Key Generation
– by the CA or the user?
• Initial Certification– What protocol? CMP or CMS(PKCS#7)
• Storage of Private Keys– Where? hardware or software. Software is a problem in a
university environment– Portability between applications– Portability of hardware devices e.g. smart cards
• Revocation of Public Key Certificates– How, and by whom. Automatic, manual, authentication etc.
Key Lifecycles (cont)• Publication of Certificates and CRLs
– Using LDAP, FTP or the Web?
– Retrieval issues - how to select the right certificate
• Key Update/Roll over– User keys, manual or automatic
– Root CA keys, and migration of users
• Key Backup– Do we want it or not? For decryption probably yes, for signing definitely
NO
• Key Archive– For non-repudiation purposes
Problems with Use of LDAP• Cannot search for particular certificates or CRLs
– Create separate attributes and Search for them– Retrieve the certificates from the same entry and hope they are the ones you
want
• Cannot retrieve particular certificates or CRLs– Create separate attribute types e.g. encCertificate, userCertificate– Create separate entries e.g. CN=David Chadwick (Enc)– Create separate subtrees e.g.OU=Encryption– Create child entries holding different certificates
• LDAP is poor at supporting distributed directories– Causes problems for multiple CA interworking
Certification Infrastructures - Which Type?
• Hierarchy, with a root of trust e.g. Identrus, EuroPKI
• Cross certification between peer CAs or hierarchies - technical and legal issues
• Bridge CA - that is a central point for cross certification, sets policy, is a bridge of trust