Computer and Network Security Group
Download
Report
Transcript Computer and Network Security Group
EuroPKI
Antonio Lioy
< lioy @ polito.it >
Politecnico di Torino
Dip. Automatica e Informatica
The Copernican revolution
secure
Web
secure
e-mail
secure
remote
access
secure
VPN
secure
boot
X.509
certificate
secure
DNS
Win2000
security
no viruses
& Trojan horses
secure
routing
IP
security
Background
ICE-TEL project (1997-1998)
ICE-CAR project (1999-2000)
various national projects (1996-2000)
since January 1, 2000: EuroPKI
EuroPKI
EuroPKI
Norway
EuroPKI
Slovenia
EuroPKI TLCA
EuroPKI
Italy
people
servers
Politecnico di
Torino CA
EETIC CA
City of
Rome CA
Current status
root +
AT (IAIK)
IE (TCD)
IT (POLITO)
NO will retire on Dec 31, 2000
SI (IJS)
Italian tree, with 4 City Halls
integration with the Italian identity chip-card
Slovenian tree
UK (UCL)
EuroPKI services
certification
revocation
publication
data validation
competence centre
Certification
X.509v3 certificates
global CP (Certification Policy)
local CPS (Certification Practice Statement)
Certification policy
current draft:
28 pages
based on RFC-2527 (with extensions)
basic idea:
be as little restrictive as possible to allow
anybody to join ...
... while retaining a level of security
useful for practical applications
CP requirements
personal identification of the subject
secure management of the CA
periodic publication of CRL
Applications supported
Web:
SSL/TLS
signed applets
SSL-based applications:
telnet, FTP, SMTP, POP, IMAP, ...
e-mail:
S/MIME
IPsec (via SCEP)
DNS (?)
Publication
certificates and CRLs
Web servers:
for humans
directory server:
for applications
LDAP (local) directories
X.500 (global) directory
X.521 schema
Revocation
CRL (Certificate Revocation List)
cumulative list of revoked certificates
issued periodically
updated as needed
OCSP (On-Line Certificate Status
Protocol):
“is this cert valid now?”
unknown, valid, invalid
Time-stamping
proof of data existence at a given date
IETF-PKIX-TSP-draft-12
TSP server (Win32, Unix)
TSP client (GUI for Win32, shell for Unix)
TSP server
Attribute certificate
where should
I put additional
infos related
to a certificate?
inside the certificate, in order
to keep all data together
in a directory, or
in an attribute certificate
(draft-ietf-pkix-ac509prof)
Next steps
GARR PKI
European digital signature law
CDSA
automatic policy negotiation
Future
I have a dream ...
... a pan-european
open and public PKI
to enable network security
EuroPKI?