Policy defined for No rights delegated (allows for a

1
Proxy Certificate Profile

• draft-ietf-pkix-proxy-04
• Motivation
• Grid Computing users dynamically creating
  entities (e.g. computational jobs)
• Need to name created entities
• Need to grant rights to created entities
• Dynamic nature of creation makes tradition CA
  process too heavy weight

2
Summary of Approach

• End entity creates Proxy Cert (PC) for created
  entity
• Looks like X509 identity cert
• Has critical extension identifying it as a PC
• Has identity based off/scoped by EEC identity
• But distinct and unique

3
Summary (cont)

• Can contain intention of EE to delegate
  all/none/some of its rights to PC holder
• Arbitrary policy for delegate
• Define oid and policy blob
• Policy defined for All (allows for
  impersonation in terms of authorization)
• Policy defined for No rights delegated (allows
  for an independent proxy)
• With PV changes, a PC chain works in place of
  standard EEC chain in TLS, SSL, etc.

4
Changes since Atlanta (draft-03)

• Path validation now specified as additions to
  RFC 3280
• Based on feedback from PKIX
• As opposed to modifications to 3280
• Describes steps for validating PC part of cert
  chain
• Take outputs from 3280 PV and use to do PV on PC
  part of cert chain

5
Changes (cont)

• ASN.1 module added
• IETF/PKIX issued oids for defined policies
• Correction of criticality keyUsage extension in
  Proxy Certificates
• Must be critical only if EECs is critical