1 / 8

Some Technical Issues in PKI Deployment

Explore technical issues in PKI deployment including certificate extensions, profiles, key lifecycles, and LDAP problems. Learn about certification infrastructures and cross-certification between CAs for effective implementation.

medinae
Download Presentation

Some Technical Issues in PKI Deployment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Some Technical Issues in PKI Deployment David Chadwick d.w.chadwick@salford.ac.uk

  2. Certificate Extensions • X.509v3 certificates hold a set of extensions • Each extension is uniquely identified by a globally unique number (object identirfier) • Every organisation possesses its own OID, so can define their own extensions • Netscape extensions, Microsoft extensions, Entrust extensions, Baltimore extensions, Your very own extensions • Therefore certificates are infinitely extensible, which can cause interoperability problems

  3. Certificate Profiles • These try to limit the extensions that are allowed in certificates • e.g. PKIX profile specified in RFC2459 • But the profiles themselves offer many options e.g. • one key pair, two key pair or three key pair • one policy or more • any algorithm, e.g. DSA, RSA or elliptic curve

  4. Key Lifecycles • Key Generation • by the CA or the user? • Initial Certification • What protocol? CMP or CMS(PKCS#7) • Storage of Private Keys • Where? hardware or software. Software is a problem in a university environment • Portability between applications • Portability of hardware devices e.g. smart cards • Revocation of Public Key Certificates • How, and by whom. Automatic, manual, authentication etc.

  5. Key Lifecycles (cont) • Publication of Certificates and CRLs • Using LDAP, FTP or the Web? • Retrieval issues - how to select the right certificate • Key Update/Roll over • User keys, manual or automatic • Root CA keys, and migration of users • Key Backup • Do we want it or not? For decryption probably yes, for signing definitely NO • Key Archive • For non-repudiation purposes

  6. Problems with Use of LDAP • Cannot search for particular certificates or CRLs • Create separate attributes and Search for them • Retrieve the certificates from the same entry and hope they are the ones you want • Cannot retrieve particular certificates or CRLs • Create separate attribute types e.g. encCertificate, userCertificate • Create separate entries e.g. CN=David Chadwick (Enc) • Create separate subtrees e.g.OU=Encryption • Create child entries holding different certificates • LDAP is poor at supporting distributed directories • Causes problems for multiple CA interworking

  7. Certification Infrastructures - Which Type? • Hierarchy, with a root of trust e.g. Identrus, EuroPKI • Cross certification between peer CAs or hierarchies - technical and legal issues • Bridge CA - that is a central point for cross certification, sets policy, is a bridge of trust

More Related