m PKI Interoperability I-D Change Log from -00

Зарегистрируйтесь, чтобы просмотреть полный документ!

m. PKI Interoperability I-D Change. Log from -00 to -01 Oct 27, 2003 Masaki SHIMAOKA SECOM Trust. net

Abstracts of this I-D n n n This memo is used to share the awareness necessary to deployment of multi-domain PKI. Scope of this memo is to establish trust relationship and interoperability between plural PKI domains. Both single-domain PKI and multi-domain PKI are established by the trust relationships between CAs. Typical and primitive PKI models are specified as single-domain PKI. Multi-domain PKI established by plural single-domain PKI is categorized as multi-trust point model and single-trust point model. Multi-trust point model is based on trust list model, and singletrust point model is based on cross-certification. 2

I-D contents n n n 1 Introduction 2 Requirements and Assumptions 3 Trust Relationship 4 PKI Domain (new) 5 Single-domain PKI 6 multi-domain PKI 7 Security Considerations 8 References 9 Acknowledgements 10 Author's Address 11 Full Copyright Statement 3

CHANGES n Add the figures n n n Terminology and Assumptions n n n Cross-Certification model Subordination model Hub model Consider for trusted third CA n n Add new section Modify a definition of some PKI model n n Modify some terminology Assumptions for Repository Define PKI Domain n n Structure of multi-domain PKI Each PKI model Trusted Third CA in Hub model and Super domain model Security Considerations n n Certificate and CRL Profile Asymmetric problem 4

1. Structure of multi-domain PKI +---------+ +----------+ | PKI domain | | | Domain-Domain | | Trust | | | +-----+ | Relationship | +-----+ | | | PCA |<==============>| PCA | | | +-----+ | | ^ | | | CA-CA Trust | | | Relationship | | v | | +----+ | | | CA | | | +----+ | +---------+ +----------+ 5

2. Requirements & Assumptions n Modified Terminology n n See actual I-D. Assumptions for Repository n Repository is necessary to support a certification path n This I-D does not specify whether HTTP or LDAP. 6

3 Trust relationship n 3. 2 Cross-Certification n Change the self-signed cert requirement of the CA issuing the cross-cert from SHOULD to MUST Add how to store the cross-certificate in the directory server 3. 3 Subordination n Add the considerations for that the sub CA issues a self-signed cert 7

4 PKI domain n 4. 1 Requirements for PKI domain n 4. 2 Risk Analysis of PKI domain n n Set of PKIs shared more than one common policy No need policy. Id of the common policy problem depending on lack of policy. Id 4. 3 Requirements for multi-domain PKI n More requirements for multi-domain PKI 8

6 multi-domain PKI n 6. 2. 3 Hub model n n n Add requirements in the detail Especially Bridge CA requirements 6. 2. 4 Considerations for trusted third CA n Trusted Third CA n n n Bridge CA in Hub model Top CA in Super domain model Considerations for trusted third CA in multi-domain PKI 9

7 Security Considerations n Certificate and CRL profile n n critical-flag of extensions for local PKI domain Asymmetric problem n Hybrid trust model n n n Cross. Cert X to Y: cross-certification model Y to X: trust list model Asymmetric policy mapping n n X to Y: X. 1: =Y. 1 Y to X: Y. 1 : = X. 2 CA-A CA-X CA-Y Trust List SHALL CA-A trust CA-B? A. 1 : = X. 1 : = Y. 1 CA-X CA-B X. 2 : = B. 1 CA-Y Y. 1 : = X. 2 10

Working Items n To sort an intentional model and a non-intentional model n n To consider Trust list model again n n Most actual Trust list model does not use policy. Id. To select appropriate term n n Authority Trust List model and Mesh model MAY be nonintentional model. trusty PKI domain and trusted PKI domain trusted third CA Top CA in Super Domain model To Maintain the remaining TBD items MUST collect more comments and review! All items will be fixed in -02. 11

Future Plan n ’ 03 Nov n n To Discuss with AD and WG chairs the necessity to publish this BCP. Call Reviewer Review by Reviewer ’ 04 Feb n will release -03 reflected review ’ 04 Mar n n n 59 th IETF Poll on PKIX ML ’ 04 Apr n will release -04 reflected review in PKIX ML To Recommend standardization this I-D to IESG with AD and WG chairs. ’ 04 Aug n will release -02 ’ 04 Jan n n 58 th IETF ’ 03 Dec n n n 60 th IETF To hope status is Last Call until 60 th IETF! 12

Related Resources n Challenge PKI homepage n n Multi-domain PKI interoperability Framework http: //www. jnsa. org/mpki/ Newest this I-D is available here linked. This site is also repository of this I-D for minor update. 13

Скачать презентацию m PKI Interoperability I-D Change Log from -00

da55098b553ebebb6f22e4a95bf51f9e.ppt

Количество слайдов: 13