CCSDS Security Working GroupFall 2015 Meeting

Certificate Management9 November – 13 November 2015

Darmstadt GermanyCharles Sheehe

NASA/Glenn

Certificate needs• A Structure• A provider• A protocol

What do we needStructure

C CountryST StateL CityO Organizational nameOU Organizational Unit nameCN Domain name

These data element should be formatted identically to the way W3C PKI structures the “Issuer” element: as a record reflecting the identity of the CA.

What do we needStructure continued, 1• Version• Serial Number• Algorithm ID• Validity• Not Before• Not After• Subject Key Info• Key Algorithm• Subject Key• Issuer Unique Identifier• Subject Unique Identifier• Any extensions with defined meanings (optional)

What do we need Structure continued, 2

ROLE The role of the subject in the SANA CA ecosystem. Can take values of CANational CAAgency CADomain CADEVICE CertOPERATOR CertSOFTWARE CertINSTALLER CertEach role will carry particular capabilities to engage in various kinds of communication. For instance, the INSTALLER role will be able to supply device installation metadata to SANA CA. The National CA role will be authorized to engage in National CA-CA and National CA-Agency CA communications.

SANA_ID For a role certificate, this field contains the certification SANA ID

SERIAL_NUM For a multiple end points within an SANA ID.

What do we need Provider and protocol• Certificate management organization

• https://letsencrypt.org/

• Protocol for certificats:• Automatic Certificate Management Environment (ACME)

• draft-barnes-acme-04

Discussion