Скачать презентацию libpkix Cert Path Bringing High Quality Certificate Скачать презентацию libpkix Cert Path Bringing High Quality Certificate

cad2664f92eb08700e92500c01aca898.ppt

  • Количество слайдов: 16

libpkix & Cert. Path: Bringing High Quality Certificate Handling to the Masses PKI Higher libpkix & Cert. Path: Bringing High Quality Certificate Handling to the Masses PKI Higher Education Summit July 14, 2004 Steve Hanna, Sun Microsystems, Inc. Copyright 2004 Sun Microsystems, Inc. All Rights Reserved

Outline ● ● Path Validation & Building Cert. Path libpkix Discussion Outline ● ● Path Validation & Building Cert. Path libpkix Discussion

Path Validation ● Given a chain of X. 509 certificates and a set of Path Validation ● Given a chain of X. 509 certificates and a set of parameters, check if chain is valid ● ● ● ● Signatures Subject-Issuer Name Chaining Expiration/Validity Revocation Name Constraints Policy Processing Used in SSL/TLS, IPsec, S/MIME, SSO, etc. Described in IETF RFC 3280

Path Building ● Given a set of parameters, build a valid chain of X. Path Building ● Given a set of parameters, build a valid chain of X. 509 certificates to a particular target ● Active research area ● ● Simple solutions known (DFS, BFS) More advanced ones being explored ● ● ● Meet in Middle Best-First Search Heuristics Expert Servers Prebuilt Paths Scaling Problems

Cert. Path ● Java API and libraries ● ● ● Build and validate chains Cert. Path ● Java API and libraries ● ● ● Build and validate chains of X. 509 certificates API standardized through JSR 55 in 2001 Included in J 2 SE SDK 1. 4 and later Comply with IETF RFC 3280 Pass NIST PKITS Support any PKI topology ● Recent Enhancements: ● ● Performance Analysis, Caching Simple CRL DP Processing OCSP Support Fixes to Pass PKITS

libpkix ● Portable C library ● ● ● ● Build and validate chains of libpkix ● Portable C library ● ● ● ● Build and validate chains of X. 509 certificates Soon to be Open Source (BSD) on Source. Forge Will comply with RFC 3280 and pass PKITS Portable Efficient (Thread-Hot) Support any PKI topology Designed to plug easily into any code base: Mozilla, Open. SSL, etc. ● Not Complete Yet

Primary Obstacles to PKI Deployment and Usage 1) Software Applications Don't Support It 2) Primary Obstacles to PKI Deployment and Usage 1) Software Applications Don't Support It 2) Costs Too High 3) PKI Poorly Understood 4) Too Much Focus on Technology, Not Enough on Need 5) Poor Interoperability Source: OASIS PKI TC August 2003 Survey http: //www. oasis-open. org/committees/pkiobstaclesaugust 2003 surveyreport. pdf

Why Cert. Path and libpkix? ● We need strong PKI support in applications ● Why Cert. Path and libpkix? ● We need strong PKI support in applications ● ● ● Standards-compliant Reliable Interoperable Bridge CA compatible Application vendors will add such support if ● Revenue boost substantially exceeds costs ● ● NIST draft rec, J GPKI => revenue impact Strong Open Source library => lower development costs

libpkix Architecture Application/Library libpkix Portable Code libpkix Portability Layer Platform (OS, NSS, Open. SSL, libpkix Architecture Application/Library libpkix Portable Code libpkix Portability Layer Platform (OS, NSS, Open. SSL, etc. )

libpkix Development Team ● Sun Labs Internet Security Research Group ● ● ● Created libpkix Development Team ● Sun Labs Internet Security Research Group ● ● ● Created Cert. Path libraries (in JDK 1. 4 & later) which pass PKITS tests Authors of NDSS '01 paper on path building Ongoing PKI research: R&D Workshop, etc. Active in IETF PKIX WG, OASIS PKI TC, etc. Dartmouth PKI Lab ● ● PKI Research and Deployment Dozens of Papers and Prototypes Years of Deployment Experience Responsible for HEBCA

libpkix Applications ● NSS ● ● ● Mozilla Sun servers Netscape servers ● Open. libpkix Applications ● NSS ● ● ● Mozilla Sun servers Netscape servers ● Open. SSL ● Others in discussions

libpkix Implementation Status ● Architecture Complete ● APIs Complete ● Basic NSS Portability Layer libpkix Implementation Status ● Architecture Complete ● APIs Complete ● Basic NSS Portability Layer Working ● Starting on Basic Path Validation

Current Schedule ● Fall 2004 – Basic Path Validation ● Summer 2005 – Full Current Schedule ● Fall 2004 – Basic Path Validation ● Summer 2005 – Full Path Validation ● Summer 2006 – Full Path Building ● Summer 2007 – Certificate Collection ● Later – Optional Features (CRL DP, segmented CRLs, etc. )

libpkix Assistance Needed ● Funding to hire an engineer ● ● $100 K for libpkix Assistance Needed ● Funding to hire an engineer ● ● $100 K for one engineer for one year Accelerates schedule ~1. 8 x ● ● Spring 2005 – Full Path Validation Fall 2005 – Full Path Building Seeking funding from vendors & U. S. Gov Direct implementation assistance ● Undergrad/grad projects ● ● ● Path validation modules Path building heuristics and algorithms Full-time engineer

For More Info ● Read Cert. Path Programmer's Guide http: //java. sun. com/security ● For More Info ● Read Cert. Path Programmer's Guide http: //java. sun. com/security ● Read libpkix Architecture and libpkix Programmer's Guide http: //libpkix. sourceforge. net ● Email libpkix-discuss@lists. sourceforge. net or steve. hanna@sun. com

Discussion Discussion