3 IETF PKI TAM Trust Anchor Management
3. IETF Internet Engineering Task Force PKIX WG 3.1. IETF PKIX WG 1 2006 PKI Public-Key Infrastructure IETF PKIX WG 2007 69 IETF 70 IETF WG PKIX WG 2006 3 2 3.2. 69 IETF PKIX WG 2007 7 26 5 PKIX WG ITU-T X.509 WG Working Group - PKIX WG 1 3-1 1 IETF PKIX WG http://www.ietf.org/html.charters/pkix-charter.html 2 2006 http://www.nic.ad.jp/ja/research/200707-ca/ 75
Public-Key Public-Key Infrastructure Infrastructure (X.509) (X.509) WG WG 69 IETF 69 IETF Public-Key Public-Key Infrastructure Infrastructure (X.509) (X.509) WG WG 2007/7/26 15:10-16:10 70 2007/7/26 15:10-16:10 70 Agenda Agenda Document Status Overview Document Status Overview WG documents WG documents SCVP SCVP Subject Public Key info for ECC keys Subject Public Key info for ECC keys Related specifications and Liaison Related specifications and Liaison WebDav for certificate publication and revocation WebDav for certificate publication and revocation SCEP SCEP PRQP PRQP (Syntax for binding documents with time-stamps) (Syntax for binding documents with time-stamps) Framework on key compromise Framework on key compromise Three short fixes Three short fixes 3-1 Public-Key Infrastructure (X.509) WG 69 IETF 3-2 69 IETF 76
69 IETF PKIX PKIX WG WG RFC RFC Editor RFC RFC Editor Lightweight OCSP (Proposed Standard) Lightweight OCSP (Proposed Standard) Service Name SAN(Subject Alt Name) Service Name SAN(Subject Alt Name) IESG IESG Server-based Certificate Validation Protocol (SCVP) Server-based Certificate Validation Protocol (SCVP) RFC 3280bis RFC 3280bis CMC (3 documents) CMC (3 documents) WG WG Draft for ECDSA and DSA with SHA-2 family of hash algorithms Draft for ECDSA and DSA with SHA-2 family of hash algorithms ECC algorithms ECC algorithms Credential Selection Criteria Data Structure Credential Selection Criteria Data Structure 3-2 69 IETF PKIX WG Lightweight OCSP subjectaltname Service Name SAN IESG RFC 69 IETF RFC Editor 2008 3 Lightweight OCSP RFC5019 3 Service Name SAN RFC4985 SCVP(Server-based Certificate Validation Protocol) RFC3280 (RFC3280bis) CMC(Certificate Management over CMS) 3 IESG 2008 3 SCVP RFC5055 4 RFC3280bis CMC RFC Editor RFC3280bis IESG CRL 3 The Lightweight Online Certificate Status Protocol (OCSP) Profile for High-Volume Environments (RFC 5019) http://www.ietf.org/rfc/rfc5019.txt 4 Server-based Certificate Validation Protocol (SCVP) (RFC 5055) http://www.ietf.org/rfc/rfc5055.txt 77
WG WG Internet-Draft SCVP ECC Subject Key Info SCVP http TLS ECC Subject Key Info ML 2008 3 SCVP RFC5055 ECC Working Document Related specifications and Liaison 3-3 Related specifications and and Liaison WebDAV for certificate publication and revocation WebDAV for certificate publication and revocation WebDAV SCEP Simple WebDAV Certificate Enrollment Protocol SCEP Simple Certificate Enrollment Protocol SCEP RFC SCEP RFC Tim Polk AD PKIX CMC (Paul Tim Polk AD PKIX CMC Hoffman) informational RFC (Paul Hoffman) informational RFC PRQP PKI Resource Discovery Protocol PRQP PKI Resource Discovery Protocol URI OpenCA I-D ML URI OpenCA I-D ML PKI Disaster Recovery and Key Rollover PKI CA rollover Disaster Recovery and Key Rollover informational CA rollover RFC informational RFC Three short fixes Three experimental short fixes RFC experimental RFC subject OID WebTrust subject OID complient WebTrust complient WG WG 3-3 Related specifications and Liaison PKIX WG WebDAV PKI Disaster Recovery and Key Rollover 78
WebDAV for for certificate publication and and revocation WebDAV WebDAV Representational State Transfer (REST) Representational State Transfer (REST) URL URL CRL CRL DoS DoS https://server.dns.name/c=gb/o=university%20of%20kent https://server.dns.name/c=gb/o=university%20of%20kent /cn=david%20chadwick/ /cn=david%20chadwick/ https://server.dns.name/c=gb/o=university%20of%20kent https://server.dns.name/c=gb/o=university%20of%20kent /cn=crls/ CRL /cn=crls/ CRL 3-4 WebDAV for certificate publication and revocation WebDAV for certificate publication and revocation WebDAV LDAP URL CN Common Name URL URL WebDAV PKI Disaster Recovery and Key Rollover PKIX WG individual draft Disaster Recovery 79
PKI PKI Disaster Disaster Recovery and and Key Key Rollover CRL DoS CRL DoS Revocation Authority Attribute Revocation Autohrity Time-Stamp Authority CRL Authority Repository Attribute Autohrity Time-Stamp Authority CRL Repository individual draft WG draft PKIX WG WG individual draft WG draft PKIX WG WG 3-5 PKI Disaster Recovery and Key Rollover PKI Disaster Recovery and Key Rollover 2001 7 Joel Kazin CPS(Certificate Practice Statement) PKI Informational RFC Revocation Authority Attribute Authority (Time-stamp Authority) CRL DoS(Denial of Services) ( ) 3.3. TAM Trust Anchor Management TAM BoF 69 IETF 7 27 ( ) 70 VPN TAM BoF Web VPN 80
Carl Wallace out-of-band ( ) 3-6 3-7 TAM problem statement 81
Problem Statement Problem statement Problem statement draft-wallace-ta-mgmt-problem-statement-01 draft-wallace-ta-mgmt-problem-statement-01 trust anchor store trust anchor store draft-ietf-dnsext-trustupdate-timers draft-ietf-dnsext-trustupdate-timers trust anchor trust anchor Trust Anchor Trust Anchor rfc3280 rfc3280 OCSP OCSP 3-6 Problem Statement trust anchor store Web IPsec 82
Problem Statement trust anchor store add/remove/query trust anchor store add/remove/query oub-of-band oub-of-band trust anchor trust anchor trust anchor store trust anchor store trust anchor out-of-band fingerprint trust anchor out-of-band fingerprint trust anchor store trust anchor store disaster recovery disaster recovery trust anchor authority trust anchor store trust anchor authority trust anchor store trust anchor manager trust anchor delegation trust anchor manager trust anchor delegation 3-7 Problem Statement trust anchor store fingerprint out-of-band BoF 83
TAM TAM BoF BoF Tim Polk BoF Tim Polk WG problem statement constituency( WG problem or ) statement constituency( or ) trust anchor manager trust anchor manager " trust anchor " trust anchor APNIC Terry APNIC Terry IETF ML IETF ML WG WG 3-8 TAM BoF TAM BoF Tim Polk BoF WG Trust Anchor Management IETF WG PKIX WG 3.4. 70 IETF PKIX WG 2007 12 3 1 84
Public-Key Public-Key Infrastructure Infrastructure (X.509) (X.509) WG WG 70 IETF 70 IETF Public-Key Public-Key Infrastructure Infrastructure (X.509) (X.509) WG WG 2007/12/3 13:05-15:05 50 2007/12/3 13:05-15:05 50 Agenda Agenda WG Status and Direction WG Status and Direction PKIX WG Specifications PKIX WG Specifications Certificate and Certificate Revocation List Profile (3280bis) Certificate and Certificate Revocation List Profile (3280bis) Certificate Management Messages over CMS Certificate Management Messages over CMS Subject public key info resolution for ECC Subject public key info resolution for ECC OCSP Algorithm agility OCSP Algorithm agility Related specifications and Liaison Presentations Related specifications and Liaison Presentations Liaison statements received from ITU-T SG17 Liaison statements received from ITU-T SG17 Trust Anchor Management Protocol (TAMP) Trust Anchor Management Protocol (TAMP) Updating ASN.1 modules to 1998 syntax Updating ASN.1 modules to 1998 syntax Credential selection - Mainly a PKI problem Credential selection - Mainly a PKI problem Resource Discovery Protocol Resource Discovery Protocol 3-9 Public-Key Infrastructure (X.509) WG 70 IETF Stefan Santesson Credential selection 70 IETF PKIX WG 3-10 85
70 IETF PKIX PKIX WG WG RFC RFC RFC RFC Editor Editor Server-based Certificate Validation Protocol (SCVP) Server-based Certificate Validation Protocol (SCVP) IESG IESG RFC 3280bis RFC 3280bis CMC (3 documents) CMC (3 documents) WG WG Draft for ECDSA and DSA with SHA-2 family of hash Draft for ECDSA and DSA with SHA-2 family of hash algorithms algorithms ECC algorithms ECC algorithms 3-10 70 IETF PKIX WG Server-based Certificate Validation Protocol (SCVP) RFC Editor RFC3280bis CMC IESG 2008 3 SCVP RFC5055 RFC3280bis CMC RFC Editor PKIX WG 3-10 86
PKIX WG Subject Subject public public key key info info resolution resolution for for ECC ECC ECC (Elliptic ECC (Elliptic Curve Cryptography ) Curve Cryptography ) 12 12 RFC4055 X9.62-2005 RFC4055 RFC4055 X9.62-2005 RFC4055 OCSP OCSP Algorithm Algorithm agility agility draft-hallambaker-ocspagility-00.txt draft-hallambaker-ocspagility-00.txt ML ML 3-11 PKIX WG PKIX WG ECC RFC4055 5 X9.62-2005 6 RFC4055 OCSP Algorithm agility OCSP Open Certificate Status Protocol OCSP ITU-T PKIX WG 5 Certificate and Certificate Revocation List (CRL) Profile (RFC 4055) http://www.ietf.org/rfc/rfc4055.txt 6 ANSI X9.62-2005 Public Key Cryptography for the Financial Services Industry, The Elliptic Curve Digital Signature Algorithm (ECDSA) http://webstore.ansi.org/recorddetail.aspx?sku=ansi+x9.62%3a2005 87
PKIX WG Related Related Specifications Specifications and and Liaison Liaison Presentations Presentations Liaison statements received from ITU-T SG17 Liaison statements received from ITU-T SG17 ITU-T PKIX WG ITU-T PKIX WG streetaddress upper bound unbound streetaddress upper bound unbound bufferoverflow bufferoverflow CA CA no responsible and no mechanism no responsible and no mechanism 3-12 PKIX WG ITU-T DN Distinguished Name DN streetaddress organizationname 64 128 PKIX WG PKI bufferoverflow CA CA CA PKIX WG IETF PKIX WG 88
69 IETF BoF TAM PKIX WG PKIX WG WG ML 70 IETF PKIX WG PKIX WG Trust Trust Anchor Anchor Management Management Protocol Protocol (TAMP) (TAMP) IETF-69 TAM BoF WG IETF-69 TAM BoF WG TAM Protocol PKIX WG TAM Protocol PKIX WG Working Item Working Item ML ML Updating Updating ASN.1 ASN.1 modules modules to to 1988 1988 syntax syntax ASN.1 1988 ASN.1 ASN.1 1988 ASN.1 1998 2002 ASN.1 ANY 1998 2002 ASN.1 ANY LTANS Tobias der/ber LTANS Tobias der/ber 3-13 PKIX WG ASN.1 WG individual PKIX WG WG 2008 3 WG PKIX WG ASN.1 1998 ASN.1 2002 PKIX WG RFC 89
PKIX WG Credential Credential selection selection - - Mainly Mainly a a PKI PKI problem problem http://www.ietf.org/internet-drafts/draft-santessoncredsel-01.txt http://www.ietf.org/internet-drafts/draft-santessoncredsel-01.txt Resource Resource Discovery Discovery Protocol Protocol http http ML strow poll ML strow poll 3-14 PKIX WG Credential selection Resource Discovery Protocol Credential selection Resource Discovery Protocol http Internet-Draft ML 3.5. IETF X.509 PKIX WG PKI Trust Anchor Management 2007 PKIX WG 3 RFC3280 90
Russ Housley PKIX WG PKI PKIX WG PKI 91
92