Some Technical Issues in PKI Deployment David Chadwick [email protected].
-
Upload
gwendoline-sims -
Category
Documents
-
view
214 -
download
2
Transcript of Some Technical Issues in PKI Deployment David Chadwick [email protected].
![Page 2: Some Technical Issues in PKI Deployment David Chadwick d.w.chadwick@salford.ac.uk.](https://reader036.fdocuments.us/reader036/viewer/2022083009/5697c0101a28abf838ccb171/html5/thumbnails/2.jpg)
Certificate Extensions• X.509v3 certificates hold a set of extensions• Each extension is uniquely identified by a globally
unique number (object identirfier)• Every organisation possesses its own OID, so can
define their own extensions– Netscape extensions, Microsoft extensions, Entrust
extensions, Baltimore extensions, Your very own extensions
• Therefore certificates are infinitely extensible, which can cause interoperability problems
![Page 3: Some Technical Issues in PKI Deployment David Chadwick d.w.chadwick@salford.ac.uk.](https://reader036.fdocuments.us/reader036/viewer/2022083009/5697c0101a28abf838ccb171/html5/thumbnails/3.jpg)
![Page 4: Some Technical Issues in PKI Deployment David Chadwick d.w.chadwick@salford.ac.uk.](https://reader036.fdocuments.us/reader036/viewer/2022083009/5697c0101a28abf838ccb171/html5/thumbnails/4.jpg)
Certificate Profiles
• These try to limit the extensions that are allowed in certificates– e.g. PKIX profile specified in RFC2459
• But the profiles themselves offer many options e.g.– one key pair, two key pair or three key pair– one policy or more– any algorithm, e.g. DSA, RSA or elliptic curve
![Page 5: Some Technical Issues in PKI Deployment David Chadwick d.w.chadwick@salford.ac.uk.](https://reader036.fdocuments.us/reader036/viewer/2022083009/5697c0101a28abf838ccb171/html5/thumbnails/5.jpg)
Key Lifecycles• Key Generation
– by the CA or the user?
• Initial Certification– What protocol? CMP or CMS(PKCS#7)
• Storage of Private Keys– Where? hardware or software. Software is a problem in a
university environment– Portability between applications– Portability of hardware devices e.g. smart cards
• Revocation of Public Key Certificates– How, and by whom. Automatic, manual, authentication etc.
![Page 6: Some Technical Issues in PKI Deployment David Chadwick d.w.chadwick@salford.ac.uk.](https://reader036.fdocuments.us/reader036/viewer/2022083009/5697c0101a28abf838ccb171/html5/thumbnails/6.jpg)
Key Lifecycles (cont)• Publication of Certificates and CRLs
– Using LDAP, FTP or the Web?
– Retrieval issues - how to select the right certificate
• Key Update/Roll over– User keys, manual or automatic
– Root CA keys, and migration of users
• Key Backup– Do we want it or not? For decryption probably yes, for signing definitely
NO
• Key Archive– For non-repudiation purposes
![Page 7: Some Technical Issues in PKI Deployment David Chadwick d.w.chadwick@salford.ac.uk.](https://reader036.fdocuments.us/reader036/viewer/2022083009/5697c0101a28abf838ccb171/html5/thumbnails/7.jpg)
Problems with Use of LDAP• Cannot search for particular certificates or CRLs
– Create separate attributes and Search for them– Retrieve the certificates from the same entry and hope they are the ones you
want
• Cannot retrieve particular certificates or CRLs– Create separate attribute types e.g. encCertificate, userCertificate– Create separate entries e.g. CN=David Chadwick (Enc)– Create separate subtrees e.g.OU=Encryption– Create child entries holding different certificates
• LDAP is poor at supporting distributed directories– Causes problems for multiple CA interworking
![Page 8: Some Technical Issues in PKI Deployment David Chadwick d.w.chadwick@salford.ac.uk.](https://reader036.fdocuments.us/reader036/viewer/2022083009/5697c0101a28abf838ccb171/html5/thumbnails/8.jpg)
Certification Infrastructures - Which Type?
• Hierarchy, with a root of trust e.g. Identrus, EuroPKI
• Cross certification between peer CAs or hierarchies - technical and legal issues
• Bridge CA - that is a central point for cross certification, sets policy, is a bridge of trust