240 likes | 444 Views
EuroPKI. Antonio Lioy < lioy @ polito.it > Politecnico di Torino Dip. Automatica e Informatica. The Copernican revolution. secure e-mail. secure remote access. secure Web. IP security. secure boot. X.509 certificate. secure VPN. Win2000 security. secure DNS.
E N D
EuroPKI • Antonio Lioy • < lioy @ polito.it > • Politecnico di Torino • Dip. Automatica e Informatica
The Copernican revolution securee-mail secureremoteaccess secureWeb IPsecurity secureboot X.509certificate secureVPN Win2000security secureDNS no viruses& Trojan horses role-basedsecurity
login filetransfer login DBMS SSH (univ.) pwd (univ.) web web S/MIME POP pwd (ISP) PKI (X) The actual (Ptolemaic) poor situation
EuroPKI is a spontaneous aggregation of certification authorities that share the vision of setting-up a pan-European PKI to support the deployment of effective interoperable network security techniques. What is EuroPKI?
Background • ICE-TEL project (1997-1998) • ICE-CAR project (1999-2000) • various national projects (1996-2000) • since January 1, 2000: EuroPKI
EuroPKIAustria EuroPKISlovenia EuroPKI TLCA City ofRome CA Politecnico diTorino CA EETIC CA people servers EuroPKI EuroPKIItaly
Costituency • root + • AT (IAIK) • IE (TCD) • IT (POLITO) • Italian tree, with 4 City Halls • integration with the Italian identity chip-card • SI (IJS) • Slovenian tree • UK (UCL)
Prospective partners • there have been talks within the TERENA PKI-coord task force • expressions of interest from: • Surfnet (NL) • Rediris (ES) • Thessaloniki Univ. (GR) • Garr (IT)
Why a hierarchy? • it’s the only solution that works • now • for most applications (especially COTS) • EuroPKI might move to other schemas (e.g., cross-certification, bridge) if and when applications will be available
EuroPKI services • EuroPKI is not “selling” services although it provides: • certification • revocation • publication • data and cert validation • aggregation point for: • competence centre • coordination
Certification • X.509v3 certificates • global CP (Certification Policy) • local CPS (Certification Practice Statement)
Certification policy • current draft: • 28 pages • based on RFC-2527 (with extensions) • basic idea: • be as little restrictive as possible to allow anybody to join ... • ... while retaining a level of security useful for practical applications
Strong CP requirements • personal identification of the subject • secure management of the CA • periodic publication of CRL
Applications supported • Web: • SSL/TLS • signed applets • SSL-based applications: • telnet, FTP, SMTP, POP, IMAP, ... • e-mail and secure documents: • S/MIME, PKCS-7, CMS, … • IPsec (also on routers via SCEP) • (looking into secure DNS)
Publication • certificates and CRLs • Web servers: • for humans • directory server: • for applications • LDAP (local) directories • X.500 (global) directory • X.521 schema
Revocation • CRL (Certificate Revocation List) • cumulative list of revoked certificates • issued periodically • updated as needed • OCSP (On-Line Certificate Status Protocol): • “is this cert valid now?” • unknown, valid, invalid
Time-stamping • proof of data existence at a given date • IETF-PKIX-TSP-draft-14 • TSP server (Win32, Unix) • TSP client (cmd-line, GUI only for Win32) TSP server
CRL CRL OCSPserver OCSP • OCSP server (Unix, Win32) • automatic CRL collection from several Cas • OCSP library + cmd-line client (Unix, NT) OCSP(embedded)client
SSL-x server LDAP, OCSP SSL-x client SSL-telnet, SSL-ftp • SSL channel • server authentication • client authentication can supplement or replace passwords • server for Unix and Win32 (FTP only) • client for Unix (cmd-line) and Win32 (GUI)
Authentication or authorization? • most of the problems are trust-related • often this is due to the wrong and unnecessary coupling of authentication with authorization • we need to cut this node: • authenticate only once and globally • authorization on a local basis, with local control
where shouldI put additionalinfos relatedto a certificate? Attributes / roles / permissions … inside the certificate, in orderto keep all data together in a directory, or in an attribute certificate
Next steps • European digital signature law: • qualified certificates • voluntary accreditation • support for other EC projects: • NASTEC (PKI-based secure IS; PKI at least for Poland and Romania) • TESI (CDSA-based security middleware)
On-going technical work • cleanly separate authentication and authorization (local file, LDAP, AC, …) • DNS as a repository, DNSsec • automatic policy negotiation (L3 … L7): • policy description (XML-based language) • policy negotiation (ISPP) • policy compliance (enforcement gateway) • integration with Win2000: • LDAP • IPsec • DNSsec
Future • I have a dream ... • ... a pan-europeanopen and public PKIto enable network security • who is interested? EuroPKI?