120 likes | 302 Views
X9.68. Efficient Business Public Key Certificate Systems. Robert L. Geiger Motorola Labs. Business Needs: Business PKI. Mobility: mobile terminals, wireless devices, satellite systems Low bandwidth, limited storage and processing power High transaction volumes: Internet trading and commerce
E N D
X9.68 Efficient Business Public Key Certificate Systems Robert L. Geiger Motorola Labs
Business Needs: Business PKI • Mobility: mobile terminals, wireless devices, satellite systems • Low bandwidth, limited storage and processing power • High transaction volumes: Internet trading and commerce • Risk management: business control of business systems • Adaptable to changing business needs
Domain Concept • Breaks PKI into autonomous domains • Compare to an intranet • Aims for efficiency and business control inside domain • Domains hooked together: Contract => cross-certify • Compare to Internet • Efficiency gained by size reductions and clear system architecture
Domain Architecture • Root CA defines PK system type and algorithms • Complexity and impact on end entities clearly visible • Domain root has unique name by inclusion of public key hash in name • Local names defined by business needs used within domain
Domain root CA Domain root CA CA CA CA CA AA AA End entity End entity Domains Inter-domain (cross-certification)
Registration Authorities • Seen as account manager type functionality • Multiple RA’s per CA allowed • RA must may have different levels of allowed access • Must have certificate issued from CA allowing access; may have other requirements
Certification Authorities • Issue domain member (key bearing) certificates per requests from valid RA’s • Source point for revocation • Revocation may be via CRL, online mechanism, or time limitations (i.e., pre-payed monthly service certificate)
Attribute Authorities • Handle issuing of account rights/properties that may change frequently (e.g., monthly purchased services) • May be CA or separate entity • Functionality kept simple • May issue limited validity (i.e., monthly) attribute certificates with no revocation requirements
X9.68 Certificate Attributes • Bound to domain member certificate by domain local name (identifier) • Simple as possible, must be length bounded • Business use case to be in X9.68 base • Can be inheritable (rights, group properties) or non-inheritable (personal properties) • Domains and organizations may define other types
X9.69 Attributes... • Assumed that a domain member may have multiple attributes, possibly from different AA’s. • Wireless Application Protocol will define organization specific payloads for its use cases • Idea is interested standards organizations should define their payloads • Keep complex payloads to your domain!
Size Reductions: Key Certificate • Example used 160 bit uncompressed EC keys, DER encoding, same information • X9.68 certificate saves > 50% over minimal X509v3 with DN’s • X9.68 certificate saves > 30% over X509v3 modified by nulling DN’s and making some items optional
Issues • X9.68 vs. heavily profiled X509v3 certificate that is not called X509v4?? • Naming schemes for defined business usage • Protocols to support inter-domain operation • Leads to... • Protocols for validation services for mobile devices (IETF Online Certificate Status Protocol work)