Proxy Certificate Profile draft-ietf-pkix-proxy-04 Motivation

Proxy Certificate Profile • draft-ietf-pkix-proxy-04 • Motivation: – Grid Computing – users dynamically creating entities (e. g. computational jobs) – Need to name created entities – Need to grant rights to created entities – Dynamic nature of creation makes tradition CA process too heavy weight IETF 3 -20 -2003 Von Welch (welch@mcs. anl. gov)

Summary of Approach • End entity creates Proxy Cert (PC) for created entity – Looks like X 509 identity cert – Has critical extension identifying it as a PC – Has identity based off/scoped by EEC identity • But distinct and unique IETF 3 -20 -2003 Von Welch (welch@mcs. anl. gov)

Summary (cont) • Can contain intention of EE to delegate all/none/some of it’s rights to PC holder • Arbitrary policy for delegate – Define oid and policy blob – Policy defined for All (allows for “impersonation” in terms of authorization) – Policy defined for No rights delegated (allows for an “independent” proxy) • With PV changes, a PC chain works in place of standard EEC chain in TLS, SSL, etc. IETF 3 -20 -2003 Von Welch (welch@mcs. anl. gov)

Changes since Atlanta (draft-03) • Path validation now specified as additions to RFC 3280 – Based on feedback from PKIX – As opposed to modifications to 3280 – Describes steps for validating PC part of cert chain – Take outputs from 3280 PV and use to do PV on PC part of cert chain IETF 3 -20 -2003 Von Welch (welch@mcs. anl. gov)

Changes (cont) • ASN. 1 module added • IETF/PKIX issued oids for defined policies • Correction of criticality key. Usage extension in Proxy Certificates – Must be critical only if EEC’s is critical IETF 3 -20 -2003 Von Welch (welch@mcs. anl. gov)