Certificate and CRL Profile and Public Key Algorithms - PowerPoint PPT Presentation

About This Presentation
Title:

Certificate and CRL Profile and Public Key Algorithms

Description:

... able to constrain the contents of alternative names without ... Constraints permit: c=US,o=XX (none) Cert #3. Issuer c=US,o=XX,cn=CA2. Subject (empty) ... – PowerPoint PPT presentation

Number of Views:54
Avg rating:3.0/5.0
Slides: 11
Provided by: Valued239
Learn more at: https://www.ietf.org
Category:

less

Transcript and Presenter's Notes

Title: Certificate and CRL Profile and Public Key Algorithms


1
Certificate and CRL ProfileandPublic Key
Algorithms
  • Russ Housley Tim Polk
  • Dec. 13, 2000

2
Status
  • New algorithms draft posted in November
  • draft-ietf-pkix-ipki-pkalgs-01.txt
  • Ready for WG Last Call now
  • New son-of-RFC 2459 posted in November
  • draft-ietf-pkix-new-part1-03.txt
  • Son-of-RFC 2459 will be ready for WG Last Call in
    Late January 2001

3
Algorithms
  • It is done
  • However, some people think that it should specify
    a MUST implement certificate and CRL signature
    algorithm

4
Profile Modifications (1 of 2)
  • Recommended support for pseudonym to align with
    QC
  • Support for inhibit any-policy extension now
    required for conforming clients
  • Permit use of subject directory
    attributes extension
  • One new IETF extension
  • subject information access

5
Profile Modifications (2 of 2)
  • Removed public key validity period from the path
    validation algorithm inputs
  • Removed the issuer unique identifier from the
    trust anchor information
  • Aligned policy mapping processing with
    X.509-2000 rules
  • Other minor clarifications

6
Remaining Profile Work
  • More minor clarifications
  • relying party can supply constraints to the
    validation algorithm via inputs, not initial
    state variables
  • CRL DP extension explanation text
  • Finish removal of UIDs from path validation
    algorithm (missed one place)
  • Name constraints

7
Name Constraints
  • The relying party may be interested in using an
    alternative name form, such as the rfc822name
  • The CA MUST be able to constrain the contents of
    alternative names without requiring that all
    certificates in the chain include the
    constrained name form

8
 X.509 and Name Constraints
  • Semantics of excluded subtrees are clear
  • Semantics of permitted subtrees are subject of
    some dispute
  • PKIX Folks permitted subtrees are satisfied by a
    certificate if it contains one or more acceptable
    names
  • X.509 Folks permitted subtrees are satisfied
    when every subsequent certificate contains the
    specified name form and that name is within the
    subtree

9
Name Constraints Example
  • Cert 1 Cert 2
  • Issuer cUS,cnCA1 cUS,oXX,cnCA1
  • Subject cUS,oXX,cnCA1 cUS,oXX,cnCA2
  • Alt Name (none) (none)
  • Constraints permit cUS,oXX (none)
  • Cert 3
  • Issuer cUS,oXX,cnCA2
  • Subject (empty)
  • Alt Name alice_at_xx.com

10
Way Forward
  • Two Alternatives
  • Clarify X.509 so it works for PKIX-style paths
  • Develop new IETF name constraints extension
  • Clearly, the first alternative is preferable
  • Not in our control!
  • How long should we wait?
Write a Comment
User Comments (0)
About PowerShow.com