1 / 10

Certificate and CRL Profile and Public Key Algorithms

Certificate and CRL Profile and Public Key Algorithms. Russ Housley & Tim Polk Dec. 13, 2000. Status. New algorithms draft posted in November draft-ietf-pkix-ipki-pkalgs-01.txt Ready for WG Last Call now New son-of-RFC 2459 posted in November draft-ietf-pkix-new-part1-03.txt

tybalt
Download Presentation

Certificate and CRL Profile and Public Key Algorithms

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Certificate and CRL ProfileandPublic Key Algorithms Russ Housley & Tim Polk Dec. 13, 2000

  2. Status • New algorithms draft posted in November • draft-ietf-pkix-ipki-pkalgs-01.txt • Ready for WG Last Call now • New son-of-RFC 2459 posted in November • draft-ietf-pkix-new-part1-03.txt • Son-of-RFC 2459 will be ready for WG Last Call in Late January 2001

  3. Algorithms • It is done… • However, some people think that it should specify a MUST implement certificate and CRL signature algorithm

  4. Profile Modifications (1 of 2) • Recommended support for pseudonym to align with QC • Support for inhibit any-policy extension now required for conforming clients • Permit use of subject directory attributes extension • One new IETF extension • subject information access

  5. Profile Modifications (2 of 2) • Removed public key validity period from the path validation algorithm inputs • Removed the issuer unique identifier from the trust anchor information • Aligned policy mapping processing with X.509-2000 rules • Other minor clarifications

  6. Remaining Profile Work • More minor clarifications • relying party can supply constraints to the validation algorithm via inputs, not initial state variables • CRL DP extension explanation text • Finish removal of UIDs from path validation algorithm (missed one place) • Name constraints…

  7. Name Constraints • The relying party may be interested in using an alternative name form, such as the rfc822name • The CA MUST be able to constrain the contents of alternative names without requiring that all certificates in the chain include the constrained name form

  8.  X.509 and Name Constraints • Semantics of excluded subtrees are clear • Semantics of permitted subtrees are subject of some dispute: • PKIX Folks: permitted subtrees are satisfied by a certificate if it contains one or more acceptable names • X.509 Folks: permitted subtrees are satisfied when every subsequent certificate contains the specified name form and that name is within the subtree

  9. Name Constraints Example Cert #1Cert #2 Issuer c=US,cn=CA1 c=US,o=XX,cn=CA1 Subject c=US,o=XX,cn=CA1 c=US,o=XX,cn=CA2 Alt Name (none) (none) Constraints permit: c=US,o=XX (none) Cert #3 Issuer c=US,o=XX,cn=CA2 Subject (empty) Alt Name alice@xx.com

  10. Way Forward • Two Alternatives • Clarify X.509 so it works for PKIX-style paths • Develop new IETF name constraints extension • Clearly, the first alternative is preferable • Not in our control! • How long should we wait?

More Related