1 / 23

eID validations services

eID validations services. Houcine Bel Mamoune Unit manager eID Technical Drill down Session 7 April 2005. eID validations services. Introduction eID CA profile and hierarchy eID Repository eID LDAP eID CRL/delta CRL eID OCSP Q&A . eID Certificate Authority. Citizen.

collin
Download Presentation

eID validations services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. eID validations services Houcine Bel Mamoune Unit manager eID Technical Drill down Session 7 April 2005

  2. eID validations services • Introduction • eID CA profile and hierarchy • eID Repository • eID LDAP • eID CRL/delta CRL • eID OCSP • Q&A

  3. eID Certificate Authority Citizen PUK & PIN Belgian National Register eID Card Manufacturer Belgian municipalities Introduction

  4. eID CA profile and hierarchy • Belgium Root CA off line • CA Tree structure • Relying party trusts the Belgium Root CA key • Belgium Root CA issues Citizen CA certificates • Relying party verifies certificate along a certificate path leading to the root. Citizen CA Belgium Root CA Chain of Trust Citizen CA Citizen CA Auth. Citizen cert. Sign. Citizen cert.

  5. eID CA profile and hierarchy • Certificate Serial Number (unique) • Unique name identifying certificate owner • Certificate usage (Sign./Auth.) • Validity period (5 year) • Public key • Issuer name & signature • Technical information • Version (3) • Signature algorithm • Authority info access • … Certificate Serial Number: 3214 Subject: Serial Number = 12345678901 G = John Fitzgerald SN = Doe CN = John Doe (Signature) C = BE Public key: Validity: 1/07/2003 10:03:00 1/07/2008 10:03:00 Issuer: CA-Name Signature: CA Digital signature

  6. Authentication Certificate eID CA profile and hierarchy Signature Certificate

  7. Citizen CA CRL distribution point eID CA profile and hierarchy Citizen CA Authority Key identifier

  8. Citizen Certificates Authority Information access eID CA profile and hierarchy Citizen Certificates CDP

  9. eID repository • eID CSP repository links: • http://repository.eid.belgium.be is the eID CSP web site • http://crl.eid.belgium.be • http://certs.eid.belgium.be • http://status.eid.belgium.be • Certificate Status Web Service: provide real time certificate status • Certificate Revocation List (CRL) Lookup Service • http://ocsp.eid.belgium.be • ldap.eid.belgium.be port 389 • The new eID government web site: • http://eid.belgium.be • With link to Fedict and RRN web sites • Certipost eID web shop • http://www.eid-shop.be

  10. eID repository

  11. eID LDAP • eID LDAP is the CA public directory: • Accessible by using LDAP v2 on the host ldap.eid.belgium.be port 389 base dc=eid, dc=belgium, dc=be

  12. eID CRL/ ΔCRL • Used to validate certificates • Include information such • Issuer of the CRL • Type of signature applied on the CRL • Date and Time when the CRL is issued • Date and Time of the next CRL update • List of revoked certificates (Serial Number, Revocation date)

  13. eID CRL/ ΔCRL • Certificate revocation list profile

  14. eID CRL/ ΔCRL • Certificate revocation list profile

  15. eID CRL/ ΔCRL • Delta CRL profile

  16. CRL/Delta CRL process eID CRL/ ΔCRL

  17. eID CRL/ ΔCRL • Current CRL size for the Citizen CA 2004 is about 3,04 MB • Estimated entry per future CRL/ ΔCRL size is about 38 bytes / entry • CRL size for 16 000 000 citizen certificates: 580 MB • Needs CRL splitting schema by generating several Citizen CA’s • Each CA will issue its own CRL and ΔCRL •  size issue ! • 3 options to mitigate it: • Use ΔCRL • Generate several CA certificates • Use OCSP

  18. eID OCSP • The OCSP is OCSP V1 compliant (RFC2560). • Suspended certificates will be marked as revoked since the “Suspended” status is currently not supported by OCSP.

  19. eID OCSP Belgium Root CA • Provide real-time status information • Decrease risk of using revoked certificates • Return status good, revoked or unknown • Use of OCSP URL from certificate to gain access to the responder CA DB Citizen CA CRL ΔCRL Web status OCSP responder OCSP Request: Cert #123 Cert #123 Alice OCSP Client Applications or relying party

  20. eID Validation Services OCSP versus CRL/ΔCRL Online Certificate Status Protocol (Offline) Certificate Revocation List Citizen Your application Back-office Citizen

  21. OCSP CRL/Delta CRL Access method Online: ·Transaction based relying on the OCSP server availability ·About no delays between requests and answers ·Gets the effective and current certificates status ·Requesting service must be able to perform an online OCSP request Offline: ·Download of the last CRL/DeltaCRL before any validation ·Local transaction ·Not synchronised with the online status; maximum of 3 hours of delay if each DeltaCRL is fetched Access protocol HTTP HTTP(s)/LDAP Local storage needed NO Very limited as transaction based YES Need to download and store locally at least the last CRL/DeltaCRL; It is disk storage consuming; Internet bandwidth LOW As transaction based HIGH It will require a high bandwidth for downloading CRL’s.  As every eID citizen’s certificate is first suspended before being optionally activated  large CRL file Signed answer YES Answers are signed by the OSCP responder private key YES CRL and Delta CRL are signed by the issuing CA private key OCSP versus CRL/ΔCRL

  22. OCSP versus CRL/ΔCRL • E.g. eID OCSP validations services could be used daily in conjonction with CRL/ ΔCRL as back up • Choice between OCSP and CRL/ ΔCRL is depending on your business, on your risk assessment, …  Most probably a balance between the 2 protocols

  23. Thank You !

More Related