Euro PKI Corrado Derenale derenale athena polito it

Euro. PKI Corrado Derenale < derenale@athena. polito. it > Politecnico di Torino Dip. Automatica e Informatica

Euro. PKI today

Euro. PKI tomorrow Naples

IAKI TU-Graz Server IAKI TU-Graz CRYPT The Euro. PKI Tomorrow Halcom Trade Pointr Slovenija IAIK Euro. PKI Intranet za Svetovni Splet Austria Sloveni za Posameznike IAKI TU-GRAZ CRYPT Naples university Rumenia Root City of Modena Bucarest polithecnica Verona university IRIS-PCA City of Macerata Italy Macerata University Red. IRISLegend: CA RA Polland EETIC City of Rome CSP Camerino University Turin polytechnic Calabria university

Euro. PKI - services Euro. PKI doesn’t sell services even though it distributes them § basic services § certificate applicant authentication § certificate issuance § certificate revocation § certificate renew § certificate publication § CRL issuance § CRL publication

Euro. PKI - advanced services § OCSP CRL OCSP responder Relaying Party yes, no, what? CRL § TSA

OCSP - players 1. cert request EE CA 2. certificate OCSP Responder 6. transaction response 5. OCSP response/error Relaing Party 3. transaction request 4. OCSP request

Euro. PKI - OCSP responder features § RFC-2560 compliant § based on Open. SSL-0. 9. 5 a crypto library § OCSP patch for Open. SSL originally written by § Tom Titchener for Cert Co. § Open. SSL-0. 9. 7 will incorporate support for OCSP multiplatform, successfully built and running on § Win 32 § Solaris 2. x § Red. Hat Linux 6. x/7. x

Euro. PKI - OCSP responder features § configurable parameters: § port number to listen for OCSP requests § transport mechanism to be used § CA certificate(s) for the CA for which the § § responder is providing the OCSP service CRL(s) from which the responder extracts the revocation information (associated to the above CAs) responder’s certificate and private key

Euro. PKI- OCSP responder characteristics § multi-threaded server for Win 32 OS § multi-process server for Unix-like OS § responder configuration: § limited number of simultaneous connections § § (against Do. S) accepting signed / not signed OCSP requests transport mechanism (HTTP is the default)

Euro. PKI - OCSP client § available in two forms: § as a command-line application (for scripting) § as a library (for integration into applications) § input parameters: § OCSP responder location (hostname, port, § § transport mechanism) target certificate to verify the requester can choose to sign or not the OCSP request

Euro. PKI - OCSP interoperability § responder successfully tested with: § PSM 1. 4 – the personal security manager for § Netscape 4. 7 x and 6. x (incorporated) § Open. SSL-0. 9. 7 (snapshot) OCSP test client § POLITO OCSP client successfully tested with: § Valicert test responder (http: //www. valicert. com/) § Open. Validation test responder (http: //www. openvalidation. org/) § Open. SSL-0. 9. 7 (snapshot) OCSP test responder

TSP - architecture Document Time source 3. get time 1. digest 2. request EE TSA 4. response 5. verify/store Time stamp

Euro. PKI - TSP features § RFC-3161 compliant (implements the client§ § § server model) currently supports only socket-based protocol (will support HTTP too) multiplatform (both client/verifier and server) § Win 32 (server may run as a service under Win. NT and Win 2 K using srvany tool) § Linux 6. 2 (tested) § Solaris 8 (tested) based on Open. SSL 0. 9. 6 a

Euro. PKI - TSP server characteristics § § acts as a Time Stamp Authority (TSA) multi-threaded server for Win 32 OS multi-process server for Unix-like OS configuration § limited number of simultaneous connections (against Do. S) § external configuration file in text format

Euro. PKI - TSP client § client (command line) § built on a Client API § external configuration file in text format

Euro. PKI - tools § RA client/server § SSLTelnet § Unix server § the client is a win 32 GUI application § SSLFTP § Unix server § the client is a win 32 GUI application

Euro. PKI - tools § both the clients (SSLTelnet, SSLFTP) are smart cards compliant using the PKCS#11 interface

Euro. PKI - software § to manage the Euro. PKI root, the Italia CA and the § § polito CA we use the “POLITO software” CAFE § the Front End § Apache Web server secured with mod-SSL § with one server Apache is possible to serve more than one CA CAMGR § the Back End § useful to sign the request and the CRL § can serve more than one CA

Euro. PKI - software architecture User Client 6. download 5. publish 1. request CAFE CAMGR (CA) sigreq pending RA Server 2. verify 4. sign 3. validate RA Client online off-line

CSP § Secude § commercial product § support guaranteed § is possible to set up a legal CA § Open. SSL § low cost CA § fully functioning

Join legacy PKI Authority. Info. Access: Key. Identifier authority. Cert. Issuer Authority. Cert. Serial. Number root CA CA