170 likes | 429 Views
EuroPKI. Antonio Lioy < lioy @ polito.it > Politecnico di Torino Dip. Automatica e Informatica. The Copernican revolution. secure e-mail. secure remote access. secure Web. secure VPN. secure boot. X.509 certificate. secure DNS. Win2000 security. secure routing.
E N D
EuroPKI • Antonio Lioy • < lioy @ polito.it > • Politecnico di Torino • Dip. Automatica e Informatica
The Copernican revolution securee-mail secureremoteaccess secureWeb secureVPN secureboot X.509certificate secureDNS Win2000security securerouting no viruses& Trojan horses IPsecurity
Background • ICE-TEL project (1997-1998) • ICE-CAR project (1999-2000) • various national projects (1996-2000) • since January 1, 2000: EuroPKI
EuroPKINorway EuroPKISlovenia EuroPKI TLCA City ofRome CA Politecnico diTorino CA EETIC CA people servers EuroPKI EuroPKIItaly
Current status • root + • AT (IAIK) • IE (TCD) • IT (POLITO) • Italian tree, with 4 City Halls • integration with the Italian identity chip-card • NO will retire on Dec 31, 2000 • SI (IJS) • Slovenian tree • UK (UCL)
EuroPKI services • certification • revocation • publication • data validation • competence centre
Certification • X.509v3 certificates • global CP (Certification Policy) • local CPS (Certification Practice Statement)
Certification policy • current draft: • 28 pages • based on RFC-2527 (with extensions) • basic idea: • be as little restrictive as possible to allow anybody to join ... • ... while retaining a level of security useful for practical applications
CP requirements • personal identification of the subject • secure management of the CA • periodic publication of CRL
Applications supported • Web: • SSL/TLS • signed applets • SSL-based applications: • telnet, FTP, SMTP, POP, IMAP, ... • e-mail: • S/MIME • IPsec (via SCEP) • DNS (?)
Publication • certificates and CRLs • Web servers: • for humans • directory server: • for applications • LDAP (local) directories • X.500 (global) directory • X.521 schema
Revocation • CRL (Certificate Revocation List) • cumulative list of revoked certificates • issued periodically • updated as needed • OCSP (On-Line Certificate Status Protocol): • “is this cert valid now?” • unknown, valid, invalid
Time-stamping • proof of data existence at a given date • IETF-PKIX-TSP-draft-12 • TSP server (Win32, Unix) • TSP client (GUI for Win32, shell for Unix) TSP server
where shouldI put additionalinfos relatedto a certificate? Attribute certificate inside the certificate, in orderto keep all data together in a directory, or in an attribute certificate (draft-ietf-pkix-ac509prof)
Next steps • GARR PKI • European digital signature law • CDSA • automatic policy negotiation
EuroPKI? Future • I have a dream ... • ... a pan-europeanopen and public PKIto enable network security