Higher Education Bridge Certification Authority Scaleable Linking of PKI trust domains David L. Wasley Fall 2006 PKI Workshop
Topic Span w What’s a bridge? w How is it different than “normal” PKI? w Why is it useful? w What is the HEBCA? 2
Bridged v. s. Hierarchical PKI w Hierarchical PKI assumes uniform policy and works with most products today w Hierarchies are “PKI islands” w Therefore browsers include 100+ “trust anchors” w Bridging allows mapping between different PKI policies but very few products support this (yet) w Mapping info is used during path validation w Bridging can link “islands” and provide superior trust management w Therefore we believe it will become important … 3
PKIs are islands of common trust 4
They can be ‘networked’ 5
What this looks like w A Relying Party under (A) can build a path from a Subject under (C) w This avoids the RP having to know and understand Trust Anchors (B) and (C) w But not vice versa 6
Cross-cert can be done bi-laterally 7
A “bridge” serves as the hub of trust 8
How does the bridge deal with differences in PKI domain CPs? w Trust is established by Certificate Policy w Each PKI domain has a Trust Anchor w Each domain can specify how it’s policy is met or exceeded by the other domain’s policy w Each can place limits on this trust w If there is no equivalency, one doesn’t trust the other w The bridge does this with respect to each of its member domains w Members must trust the bridge to do this adequately w Each can limit how far it is willing to ‘network’ 9
How CP’s are compared w Identify all important issues in the CP w Organizational responsibilities w Trust affecting issues w Create matrices to organize the comparison w General or common elements w Elements that determine Level of Assurance w Other differentiating elements 10
How mapping is instantiated w A CA’s policy is identified by an OID w One policy may define OIDs to represent variations such as LOA, etc. w CA cross-certificate includes “policy mapping field” w Contents defined by Issuer w Pairs of OIDs w “Issuer considers its CP (OID) to be equivalent to Subject CA’s CP (OID)” [See RFC 3280] 11
Higher Education Bridge CA - HEBCA w Sponsored by EDUCAUSE to support linking campus PKI’s with each other and with sponsored partners w Patterned after the Federal Gov’t FBCA w Will cross-cert with FBCA eventually w Operated at Dartmouth College w Test bridge is running w CP/CPS almost complete w Concern about whethere is enough interest (yet) to justify full operation w Planning to keep test bridge running 12
Questions? w dlwasley@earthlink. net 13
Скачать презентацию Higher Education Bridge Certification Authority Scaleable Linking of
f48d3b0162800cdb40f1820ea9201c61.ppt