Computer and Network Security Group

Download Report

Transcript Computer and Network Security Group

EuroPKI
Antonio Lioy
< lioy @ polito.it >
Politecnico di Torino
Dip. Automatica e Informatica
The Copernican revolution
secure
Web
secure
e-mail
secure
remote
access
secure
VPN
secure
boot
X.509
certificate
secure
DNS
Win2000
security
no viruses
& Trojan horses
secure
routing
IP
security
Background

ICE-TEL project (1997-1998)
ICE-CAR project (1999-2000)
various national projects (1996-2000)

since January 1, 2000: EuroPKI


EuroPKI
EuroPKI
Norway
EuroPKI
Slovenia
EuroPKI TLCA
EuroPKI
Italy
people
servers
Politecnico di
Torino CA
EETIC CA
City of
Rome CA
Current status

root +
 AT (IAIK)
 IE (TCD)
 IT (POLITO)




NO will retire on Dec 31, 2000
SI (IJS)


Italian tree, with 4 City Halls
integration with the Italian identity chip-card
Slovenian tree
UK (UCL)
EuroPKI services

certification
revocation
publication
data validation

competence centre



Certification

X.509v3 certificates

global CP (Certification Policy)

local CPS (Certification Practice Statement)
Certification policy


current draft:
 28 pages
 based on RFC-2527 (with extensions)
basic idea:
 be as little restrictive as possible to allow
anybody to join ...
 ... while retaining a level of security
useful for practical applications
CP requirements

personal identification of the subject

secure management of the CA

periodic publication of CRL
Applications supported





Web:
 SSL/TLS
 signed applets
SSL-based applications:
 telnet, FTP, SMTP, POP, IMAP, ...
e-mail:
 S/MIME
IPsec (via SCEP)
DNS (?)
Publication

certificates and CRLs

Web servers:
 for humans

directory server:
 for applications
 LDAP (local) directories
 X.500 (global) directory
 X.521 schema
Revocation

CRL (Certificate Revocation List)
 cumulative list of revoked certificates
 issued periodically
 updated as needed

OCSP (On-Line Certificate Status
Protocol):
 “is this cert valid now?”
 unknown, valid, invalid
Time-stamping




proof of data existence at a given date
IETF-PKIX-TSP-draft-12
TSP server (Win32, Unix)
TSP client (GUI for Win32, shell for Unix)
TSP server
Attribute certificate
where should
I put additional
infos related
to a certificate?
inside the certificate, in order
to keep all data together
in a directory, or
in an attribute certificate
(draft-ietf-pkix-ac509prof)
Next steps

GARR PKI

European digital signature law

CDSA

automatic policy negotiation
Future

I have a dream ...

... a pan-european
open and public PKI
to enable network security
EuroPKI?