1 / 24

EuroPKI

EuroPKI. Antonio Lioy < lioy @ polito.it > Politecnico di Torino Dip. Automatica e Informatica. The Copernican revolution. secure e-mail. secure remote access. secure Web. IP security. secure boot. X.509 certificate. secure VPN. Win2000 security. secure DNS.

mada
Download Presentation

EuroPKI

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. EuroPKI • Antonio Lioy • < lioy @ polito.it > • Politecnico di Torino • Dip. Automatica e Informatica

  2. The Copernican revolution securee-mail secureremoteaccess secureWeb IPsecurity secureboot X.509certificate secureVPN Win2000security secureDNS no viruses& Trojan horses role-basedsecurity

  3. login filetransfer login DBMS SSH (univ.) pwd (univ.) web web S/MIME POP pwd (ISP) PKI (X) The actual (Ptolemaic) poor situation

  4. EuroPKI is a spontaneous aggregation of certification authorities that share the vision of setting-up a pan-European PKI to support the deployment of effective interoperable network security techniques. What is EuroPKI?

  5. Background • ICE-TEL project (1997-1998) • ICE-CAR project (1999-2000) • various national projects (1996-2000) • since January 1, 2000: EuroPKI

  6. EuroPKIAustria EuroPKISlovenia EuroPKI TLCA City ofRome CA Politecnico diTorino CA EETIC CA people servers EuroPKI EuroPKIItaly

  7. Costituency • root + • AT (IAIK) • IE (TCD) • IT (POLITO) • Italian tree, with 4 City Halls • integration with the Italian identity chip-card • SI (IJS) • Slovenian tree • UK (UCL)

  8. Prospective partners • there have been talks within the TERENA PKI-coord task force • expressions of interest from: • Surfnet (NL) • Rediris (ES) • Thessaloniki Univ. (GR) • Garr (IT)

  9. Why a hierarchy? • it’s the only solution that works • now • for most applications (especially COTS) • EuroPKI might move to other schemas (e.g., cross-certification, bridge) if and when applications will be available

  10. EuroPKI services • EuroPKI is not “selling” services although it provides: • certification • revocation • publication • data and cert validation • aggregation point for: • competence centre • coordination

  11. Certification • X.509v3 certificates • global CP (Certification Policy) • local CPS (Certification Practice Statement)

  12. Certification policy • current draft: • 28 pages • based on RFC-2527 (with extensions) • basic idea: • be as little restrictive as possible to allow anybody to join ... • ... while retaining a level of security useful for practical applications

  13. Strong CP requirements • personal identification of the subject • secure management of the CA • periodic publication of CRL

  14. Applications supported • Web: • SSL/TLS • signed applets • SSL-based applications: • telnet, FTP, SMTP, POP, IMAP, ... • e-mail and secure documents: • S/MIME, PKCS-7, CMS, … • IPsec (also on routers via SCEP) • (looking into secure DNS)

  15. Publication • certificates and CRLs • Web servers: • for humans • directory server: • for applications • LDAP (local) directories • X.500 (global) directory • X.521 schema

  16. Revocation • CRL (Certificate Revocation List) • cumulative list of revoked certificates • issued periodically • updated as needed • OCSP (On-Line Certificate Status Protocol): • “is this cert valid now?” • unknown, valid, invalid

  17. Time-stamping • proof of data existence at a given date • IETF-PKIX-TSP-draft-14 • TSP server (Win32, Unix) • TSP client (cmd-line, GUI only for Win32) TSP server

  18. CRL CRL OCSPserver OCSP • OCSP server (Unix, Win32) • automatic CRL collection from several Cas • OCSP library + cmd-line client (Unix, NT) OCSP(embedded)client

  19. SSL-x server LDAP, OCSP SSL-x client SSL-telnet, SSL-ftp • SSL channel • server authentication • client authentication can supplement or replace passwords • server for Unix and Win32 (FTP only) • client for Unix (cmd-line) and Win32 (GUI)

  20. Authentication or authorization? • most of the problems are trust-related • often this is due to the wrong and unnecessary coupling of authentication with authorization • we need to cut this node: • authenticate only once and globally • authorization on a local basis, with local control

  21. where shouldI put additionalinfos relatedto a certificate? Attributes / roles / permissions … inside the certificate, in orderto keep all data together in a directory, or in an attribute certificate

  22. Next steps • European digital signature law: • qualified certificates • voluntary accreditation • support for other EC projects: • NASTEC (PKI-based secure IS; PKI at least for Poland and Romania) • TESI (CDSA-based security middleware)

  23. On-going technical work • cleanly separate authentication and authorization (local file, LDAP, AC, …) • DNS as a repository, DNSsec • automatic policy negotiation (L3 … L7): • policy description (XML-based language) • policy negotiation (ISPP) • policy compliance (enforcement gateway) • integration with Win2000: • LDAP • IPsec • DNSsec

  24. Future • I have a dream ... • ... a pan-europeanopen and public PKIto enable network security • who is interested? EuroPKI?

More Related