Embed Size (px)
DESCRIPTION
Higher Education Bridge Certification Authority. Scaleable Linking of PKI trust domains. David L. Wasley Fall 2006 PKI Workshop. Topic Span. What’s a bridge? How is it different than “normal” PKI? Why is it useful? What is the HEBCA?. Bridged v.s. Hierarchical PKI. - PowerPoint PPT Presentation
Citation preview
Higher Education Bridge
Certification Authority
Higher Education Bridge
Certification Authority
Scaleable Linking ofPKI trust domains
Scaleable Linking ofPKI trust domains
David L. Wasley
Fall 2006 PKI Workshop
22
Topic SpanTopic Span
What’s a bridge? How is it different than
“normal” PKI? Why is it useful? What is the HEBCA?
What’s a bridge? How is it different than
“normal” PKI? Why is it useful? What is the HEBCA?
33
Bridged v.s. Hierarchical PKI
Bridged v.s. Hierarchical PKI
Hierarchical PKI assumes uniform policy and works with most products today
Hierarchies are “PKI islands” Therefore browsers include 100+ “trust anchors”
Bridging allows mapping between different PKI policies but very few products support this (yet) Mapping info is used during path validation
Bridging can link “islands” and provide superior trust management Therefore we believe it will become important …
Hierarchical PKI assumes uniform policy and works with most products today
Hierarchies are “PKI islands” Therefore browsers include 100+ “trust anchors”
Bridging allows mapping between different PKI policies but very few products support this (yet) Mapping info is used during path validation
Bridging can link “islands” and provide superior trust management Therefore we believe it will become important …
44
PKIs are islands of common trust
PKIs are islands of common trust
55
They can be ‘networked’They can be ‘networked’
66
What this looks likeWhat this looks like
A Relying Party under (A) can build a path from a Subject under (C)
This avoids the RP having to know and understand Trust Anchors (B) and (C)
But not vice versa
A Relying Party under (A) can build a path from a Subject under (C)
This avoids the RP having to know and understand Trust Anchors (B) and (C)
But not vice versa
77
Cross-cert can be done bi-laterally
Cross-cert can be done bi-laterally
88
A “bridge” serves as the hub of trust
A “bridge” serves as the hub of trust
99
How does the bridge deal with differences in PKI domain CPs?How does the bridge deal with differences in PKI domain CPs? Trust is established by Certificate Policy
Each PKI domain has a Trust Anchor
Each domain can specify how it’s policy is metor exceeded by the other domain’s policy Each can place limits on this trust If there is no equivalency, one doesn’t trust the
other
The bridge does this with respect to each of its member domains Members must trust the bridge to do this
adequately Each can limit how far it is willing to ‘network’
Trust is established by Certificate Policy Each PKI domain has a Trust Anchor
Each domain can specify how it’s policy is metor exceeded by the other domain’s policy Each can place limits on this trust If there is no equivalency, one doesn’t trust the
other
The bridge does this with respect to each of its member domains Members must trust the bridge to do this
adequately Each can limit how far it is willing to ‘network’
1010
How CP’s are comparedHow CP’s are compared
Identify all important issues in the CP Organizational responsibilities Trust affecting issues
Create matrices to organize the comparison General or common elements Elements that determine Level
of Assurance Other differentiating elements
Identify all important issues in the CP Organizational responsibilities Trust affecting issues
Create matrices to organize the comparison General or common elements Elements that determine Level
of Assurance Other differentiating elements
1111
How mapping is instantiated
How mapping is instantiated
A CA’s policy is identified by an OID One policy may define OIDs to
represent variations such as LOA, etc.
CA cross-certificate includes “policy mapping field” Contents defined by Issuer Pairs of OIDs
“Issuer considers its CP (OID) to be equivalent to Subject CA’s CP (OID)” [See RFC 3280]
A CA’s policy is identified by an OID One policy may define OIDs to
represent variations such as LOA, etc.
CA cross-certificate includes “policy mapping field” Contents defined by Issuer Pairs of OIDs
“Issuer considers its CP (OID) to be equivalent to Subject CA’s CP (OID)” [See RFC 3280]
1212
Higher Education Bridge CA
- HEBCA
Higher Education Bridge CA
- HEBCA Sponsored by EDUCAUSE to support linking campus PKI’s with each other and with sponsored partners
Patterned after the Federal Gov’t FBCA Will cross-cert with FBCA eventually
Operated at Dartmouth College Test bridge is running CP/CPS almost complete
Concern about whether there is enough interest (yet) to justify full operation
Planning to keep test bridge running
Sponsored by EDUCAUSE to support linking campus PKI’s with each other and with sponsored partners
Patterned after the Federal Gov’t FBCA Will cross-cert with FBCA eventually
Operated at Dartmouth College Test bridge is running CP/CPS almost complete
Concern about whether there is enough interest (yet) to justify full operation
Planning to keep test bridge running
