1 / 12

X9.68

X9.68. Efficient Business Public Key Certificate Systems. Robert L. Geiger Motorola Labs. Business Needs: Business PKI. Mobility: mobile terminals, wireless devices, satellite systems Low bandwidth, limited storage and processing power High transaction volumes: Internet trading and commerce

lexiss
Download Presentation

X9.68

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. X9.68 Efficient Business Public Key Certificate Systems Robert L. Geiger Motorola Labs

  2. Business Needs: Business PKI • Mobility: mobile terminals, wireless devices, satellite systems • Low bandwidth, limited storage and processing power • High transaction volumes: Internet trading and commerce • Risk management: business control of business systems • Adaptable to changing business needs

  3. Domain Concept • Breaks PKI into autonomous domains • Compare to an intranet • Aims for efficiency and business control inside domain • Domains hooked together: Contract => cross-certify • Compare to Internet • Efficiency gained by size reductions and clear system architecture

  4. Domain Architecture • Root CA defines PK system type and algorithms • Complexity and impact on end entities clearly visible • Domain root has unique name by inclusion of public key hash in name • Local names defined by business needs used within domain

  5. Domain root CA Domain root CA CA CA CA CA AA AA End entity End entity Domains Inter-domain (cross-certification)

  6. Registration Authorities • Seen as account manager type functionality • Multiple RA’s per CA allowed • RA must may have different levels of allowed access • Must have certificate issued from CA allowing access; may have other requirements

  7. Certification Authorities • Issue domain member (key bearing) certificates per requests from valid RA’s • Source point for revocation • Revocation may be via CRL, online mechanism, or time limitations (i.e., pre-payed monthly service certificate)

  8. Attribute Authorities • Handle issuing of account rights/properties that may change frequently (e.g., monthly purchased services) • May be CA or separate entity • Functionality kept simple • May issue limited validity (i.e., monthly) attribute certificates with no revocation requirements

  9. X9.68 Certificate Attributes • Bound to domain member certificate by domain local name (identifier) • Simple as possible, must be length bounded • Business use case to be in X9.68 base • Can be inheritable (rights, group properties) or non-inheritable (personal properties) • Domains and organizations may define other types

  10. X9.69 Attributes... • Assumed that a domain member may have multiple attributes, possibly from different AA’s. • Wireless Application Protocol will define organization specific payloads for its use cases • Idea is interested standards organizations should define their payloads • Keep complex payloads to your domain!

  11. Size Reductions: Key Certificate • Example used 160 bit uncompressed EC keys, DER encoding, same information • X9.68 certificate saves > 50% over minimal X509v3 with DN’s • X9.68 certificate saves > 30% over X509v3 modified by nulling DN’s and making some items optional

  12. Issues • X9.68 vs. heavily profiled X509v3 certificate that is not called X509v4?? • Naming schemes for defined business usage • Protocols to support inter-domain operation • Leads to... • Protocols for validation services for mobile devices (IETF Online Certificate Status Protocol work)

More Related