1 / 13

Approaches to Certificate Path Discovery

Approaches to Certificate Path Discovery . Agenda. PKI Structures Overview of Path Discovery Path Discovery Implementations Briefed by each panel member Questions Prepared questions Audience questions. PKI Structures. PKIs can be grouped into conceptual structures Hierarchical Mesh

montana
Download Presentation

Approaches to Certificate Path Discovery

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Approaches to Certificate Path Discovery

  2. Agenda • PKI Structures • Overview of Path Discovery • Path Discovery Implementations • Briefed by each panel member • Questions • Prepared questions • Audience questions PKI R&D Workshop 04-14-2004

  3. PKI Structures • PKIs can be grouped into conceptual structures • Hierarchical • Mesh • Bi-lateral Cross-Certified (Hybrid) • Bridge • Applications have commonly been developed assuming a particular structure • This limits interoperability PKI R&D Workshop 04-14-2004

  4. Hierarchical Mesh Basic PKI Structures PKI R&D Workshop 04-14-2004

  5. Hierarchical Hybrid Mesh PrincipalCAs Cross-Certified PKI Structures PKI R&D Workshop 04-14-2004

  6. Bridge PKI Structure B PKI R&D Workshop 04-14-2004

  7. Certification Path Building • A certification path is an ordered list of certificates starting with a certificate issued by the relying party’s trust root, and ending with the target certificate that needs to be validated PKI R&D Workshop 04-14-2004

  8. Certification Path Building (cont.) • Certification path building is not addressed by the standards that define the semantics and structure of a PKI • Internet Draft in the works not as a standard but as an informational draft • The ability to construct or build a valid certification path is of paramount importance for applications that rely on a PKI • Absent valid certification paths, you are working with PK—not PKI PKI R&D Workshop 04-14-2004

  9. Path Building Implementations • Simply put, path-building is nothing more than a tree traversal • certificates do not repeat in a path • Leads us to two basic algorithms: • Start at a root, and work toward the end entity • Start at the end entity, and work toward a root • And, two models of implementation: • Client-side • Server-side PKI R&D Workshop 04-14-2004

  10. Path Building Implementations • Steve Hanna, Sun Microsystems • Matt Cooper, Orion Security • Ken Stillson, Mitretek Systems PKI R&D Workshop 04-14-2004

  11. Questions • First, some prepared questions for our panelists: • What is your implementation’s goal when discovering paths? How do you attempt to reach that goal? • How does your implementation handle situations involving multiple trust roots? • How does your implementation reduce repetition of tasks between path discovery and path validation? PKI R&D Workshop 04-14-2004

  12. Questions (2) • What are your recommendations for PKI architects/designers based upon path discovery? • Give us ideas of your experiences with real/test PKIs (size, complexity, time to get a result, etc) • Is path discovery best done on the client or server? • What are the “next steps” in the world of path discovery? PKI R&D Workshop 04-14-2004

  13. Questions • From the audience… PKI R&D Workshop 04-14-2004

More Related