1 / 5

PKI Artifact Retention

This document proposes a directory-focused approach for retaining and verifying artifacts in a Public Key Infrastructure (PKI). It presents structures, object classes, and attributes to bind Evidence Records to certificates and CRLs, provides an alternative to the X.509 expiredCertsOnCRL extension, and enables the use of cumulative CRLs for validating certificates issued during a large time interval. This draft is a potential supporting specification for verifying Evidence Records and archived digital signatures.

lbraun
Download Presentation

PKI Artifact Retention

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PKI Artifact Retention March 2006

  2. Purpose • Current drafts are silent on how refreshed timestamp chains will be verified • i.e., from where will the various artifacts be obtained? • Serves as a directory-focused companion to the SCVP/ERS Internet-Draft submitted last Fall

  3. Mechanics • Defines crossCertificatePair-like structures to bind EvidenceRecords to certificates and CRLs • HistoricalCertificate and HistoricalCRL • Defines RFC2587-like object classes and attributes to contain the new structures

  4. Revocation Information Appendix • Provides an alternative to the X.509 expiredCertsOnCRL extension • Enables cumulative CRLs to be used to validate any certificate issued during a large time interval (up to validity of the CA) using typical logic (i.e., thisUpdate < time of interest < nextUpdate)

  5. Question • Should drafts of this sort be addressed by this working group? • Not in the original charter but potentially useful supporting specifications for verifying EvidenceRecords and archived digital signatures

More Related