libpkix & Cert. Path: Bringing High Quality Certificate Handling to the Masses PKI Higher Education Summit July 14, 2004 Steve Hanna, Sun Microsystems, Inc. Copyright 2004 Sun Microsystems, Inc. All Rights Reserved
Outline ● ● Path Validation & Building Cert. Path libpkix Discussion
Path Validation ● Given a chain of X. 509 certificates and a set of parameters, check if chain is valid ● ● ● ● Signatures Subject-Issuer Name Chaining Expiration/Validity Revocation Name Constraints Policy Processing Used in SSL/TLS, IPsec, S/MIME, SSO, etc. Described in IETF RFC 3280
Path Building ● Given a set of parameters, build a valid chain of X. 509 certificates to a particular target ● Active research area ● ● Simple solutions known (DFS, BFS) More advanced ones being explored ● ● ● Meet in Middle Best-First Search Heuristics Expert Servers Prebuilt Paths Scaling Problems
Cert. Path ● Java API and libraries ● ● ● Build and validate chains of X. 509 certificates API standardized through JSR 55 in 2001 Included in J 2 SE SDK 1. 4 and later Comply with IETF RFC 3280 Pass NIST PKITS Support any PKI topology ● Recent Enhancements: ● ● Performance Analysis, Caching Simple CRL DP Processing OCSP Support Fixes to Pass PKITS
libpkix ● Portable C library ● ● ● ● Build and validate chains of X. 509 certificates Soon to be Open Source (BSD) on Source. Forge Will comply with RFC 3280 and pass PKITS Portable Efficient (Thread-Hot) Support any PKI topology Designed to plug easily into any code base: Mozilla, Open. SSL, etc. ● Not Complete Yet
Primary Obstacles to PKI Deployment and Usage 1) Software Applications Don't Support It 2) Costs Too High 3) PKI Poorly Understood 4) Too Much Focus on Technology, Not Enough on Need 5) Poor Interoperability Source: OASIS PKI TC August 2003 Survey http: //www. oasis-open. org/committees/pkiobstaclesaugust 2003 surveyreport. pdf
Why Cert. Path and libpkix? ● We need strong PKI support in applications ● ● ● Standards-compliant Reliable Interoperable Bridge CA compatible Application vendors will add such support if ● Revenue boost substantially exceeds costs ● ● NIST draft rec, J GPKI => revenue impact Strong Open Source library => lower development costs
libpkix Architecture Application/Library libpkix Portable Code libpkix Portability Layer Platform (OS, NSS, Open. SSL, etc. )
libpkix Development Team ● Sun Labs Internet Security Research Group ● ● ● Created Cert. Path libraries (in JDK 1. 4 & later) which pass PKITS tests Authors of NDSS '01 paper on path building Ongoing PKI research: R&D Workshop, etc. Active in IETF PKIX WG, OASIS PKI TC, etc. Dartmouth PKI Lab ● ● PKI Research and Deployment Dozens of Papers and Prototypes Years of Deployment Experience Responsible for HEBCA
libpkix Applications ● NSS ● ● ● Mozilla Sun servers Netscape servers ● Open. SSL ● Others in discussions
libpkix Implementation Status ● Architecture Complete ● APIs Complete ● Basic NSS Portability Layer Working ● Starting on Basic Path Validation
Current Schedule ● Fall 2004 – Basic Path Validation ● Summer 2005 – Full Path Validation ● Summer 2006 – Full Path Building ● Summer 2007 – Certificate Collection ● Later – Optional Features (CRL DP, segmented CRLs, etc. )
libpkix Assistance Needed ● Funding to hire an engineer ● ● $100 K for one engineer for one year Accelerates schedule ~1. 8 x ● ● Spring 2005 – Full Path Validation Fall 2005 – Full Path Building Seeking funding from vendors & U. S. Gov Direct implementation assistance ● Undergrad/grad projects ● ● ● Path validation modules Path building heuristics and algorithms Full-time engineer
For More Info ● Read Cert. Path Programmer's Guide http: //java. sun. com/security ● Read libpkix Architecture and libpkix Programmer's Guide http: //libpkix. sourceforge. net ● Email libpkix-discuss@lists. sourceforge. net or steve. hanna@sun. com
Discussion
Скачать презентацию libpkix Cert Path Bringing High Quality Certificate
cad2664f92eb08700e92500c01aca898.ppt