1 / 16

Evaluation of SPKI/SDI

Discussion of the concepts and components of SPK/SDSI

corosco
Download Presentation

Evaluation of SPKI/SDI

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Evaluation of SDSI/SPKI Christine Orosco DFSC 5315 4/27/2016

  2. Introduction Simple Distributed Security Infrastructure (SDSI) – Objectives Simple Public Key Infrastructure (SPKI) - Objectives SPKI/SDSI v2 - Objectives

  3. Introduction • SPKI/SDSI • Components • Certificate Types • Certificate Path Discovery • Advantages • Disadvantages • Lack of Acceptance • Conclusion

  4. SDSI Objectives • Ronald Rivest and Butler Lampson in 1996 • Framework for exchanging authorizations and identity • Eschewed the notion of global names • Egalitarian design • Simple data structures

  5. SPKI Objectives • Carl Ellison and the IETF SPKI Working Group in 1999 • Security mechanism for PKI that supports wide range of trust models • Alternate for X.509 • Key identifies an entity

  6. SPKI/SDSI Objectives • Two efforts merge in 1999 • Took the best features of both designs • Result in an even simpler framework in design and implementation

  7. SPKI/SDSI 2.0 • Key centric • Local names • Linked local names • Local Certificate Authority • Simple and human readable syntax • S-expressions language • Tuple Reduction - symbolic notation for key, authorization, and name mappings

  8. SPKI/SDSI Components • Principal - cryptographic key • Keyholder - entity who owns the key • Subject - keyholder with permissions • Issuer - entity who grants permissions • Certificate - permissions or identity assertion document

  9. Certificates • Purpose - convey subject authorization for requested resources • Types: • Name <name, value> • Attribute <name, authorization> • Authorization <authorization, key>

  10. Certificate Example (certificate (issuer <janes_key>) (subject (keyholder <janes_key>)) (not-after 2017-04-30_12:00)

  11. Certificate Path Discovery Algorithm • A method to validate a subject’s authorization for a requested resource • Select the right certificate from a set of certificates in a local name space • Use the subject’s key and authorizations values • Need existing authorization certificates

  12. Certificate Path Discovery Process • SPKI/SDSI Working Group developed algorithm • Remove unnecessary certificates • Create a Name reduction using the tuple reduction method • Remove all Name certificates • Remove all Authorization certificates with more than one key • Depth first search to find the path • Reconstruct certificate chain

  13. SPKI/SDSI Advantages • Simple design and syntax • Local names • Local certificate authority • Local delegation • Key centric and is immutable • Decentralized key and certificate management

  14. SPKI/SDSI Disadvantages • Key management and protection • Certificate storage and protection • Certificate validity and revocation in a decentralized environment • Authorization initiation, modification, and deletion • Broken certificate chains • Broken linked local names

  15. SPKI/SDSI Lack of Acceptance • Competition from X.509 • Wide implementation of LDAP and AD • Adopted by Federal Government • Adopted by Commercial sector • Technological support • Well known • Not well known and lack of exposure • Immature design and untested

  16. Conclusion • Although a novel design does have its problems • So does X.509 and the CAs • Is PKI necessary for E-commerce • Still facing same problems Ellison and Schneier addressed back in 2000.

More Related