certificate repository structure
play

Certificate Repository Structure - PowerPoint PPT Presentation

Oct 28, 2023 •145 likes •320 views

Certificate Repository Structure draft-huston-sidr-repos-struct-00.txt Basic Model 'named objects make other named objects' Natural parent-child relationship in process Follow the hierarchy Nodes (ie directories) and Objects

  1. Certificate Repository Structure draft-huston-sidr-repos-struct-00.txt

  2. Basic Model ● 'named objects make other named objects' – Natural parent-child relationship in process ● Follow the hierarchy – Nodes (ie directories) and Objects (files) – Information management advantages ● Local sub-trees can be independently managed ● ‘what made me’ & ‘what do I make’ easy to find/combine into global information base ● Use g(AKI) and g(SKI) for names, CRL, '*IA' – Algorithmic naming, not real-entity. Tied to public key of certificate ● (very low) risk of hash collision ● Avoids ‘real world name’ politics

  3. Hierarchy model ● Rooted at each Trust Anchor (TA) – Trust anchor self signed – In repository name model, AKI == SKI – (don’t just trust self-signed or AKI==SKI, TA must be externally defined to be valid) ● For each certificate issued – Sub-dir at ‘node level’ (for products of certificate) named by SKI of certificate. Sub-dir contents: ● produced certs, CRL (for CA certs) ● Signed objects (for EE certs) – Name structure stable across certificate re-issuance ● if public key remains constant.

  4. Trust Anchors (self-reference) Canonical file name: pvpjvwUeQix2e54X8fGbhmdYMo0-2F.cer serial: 2F g(AKI): pvpjvwUeQix2e54X8fGbhmdYMo0 g(SKI): pvpjvwUeQix2e54X8fGbhmdYMo0 CRLdp: rsync://repository.apnic.net/APNIC/ pvpjvwUeQix2e54X8fGbhmdYMo0/ Trust Anchor pvpjvwUeQix2e54X8fGbhmdYMo0.crl Ipv4 10.0.0.0/8 AIA: rsync://repository.apnic.net/APNIC/ 192.168.0.0/16 pvpjvwUeQix2e54X8fGbhmdYMo0 SIA: rsync://repository.apnic.net/APNIC/ pvpjvwUeQix2e54X8fGbhmdYMo0

  5. Products of TA Canonical file name: DLAl5E2IJgSdp2syO9gvEeptpsI-51.cer serial: 51 g(AKI): pvpjvwUeQix2e54X8fGbhmdYMo0 g(SKI): DLAl5E2IJgSdp2syO9gvEeptpsI CRLdp: rsync://repository.apnic.net/APNIC/ pvpjvwUeQix2e54X8fGbhmdYMo0/ Cert made by TA DLAl5E2IJgSdp2syO9gvEeptpsI/ DLAl5E2IJgSdp2syO9gvEeptpsI.crl Ipv4 10.0.0.0/8 192.168.0.0/16 AIA: rsync://repository.apnic.net/APNIC/ pvpjvwUeQix2e54X8fGbhmdYMo0 SIA: rsync://repository.apnic.net/APNIC/ pvpjvwUeQix2e54X8fGbhmdYMo0/ DLAl5E2IJgSdp2syO9gvEeptpsI

  6. Products of (products of TA) Canonical file name: zGJyRYzO3n7rcGV_hH-Hmn68OPY-505 .cer serial: 505 g(AKI): DLAl5E2IJgSdp2syO9gvEeptpsI g(SKI): zGJyRYzO3n7rcGV_hH-Hmn68OPY CRLdp: rsync://repository.apnic.net/APNIC/ Cert made pvpjvwUeQix2e54X8fGbhmdYMo0/ by Cert, DLAl5E2IJgSdp2syO9gvEeptpsI/ made by TA zGJyRYzO3n7rcGV_hH-Hmn68OPY/ zGJyRYzO3n7rcGV_hH-Hmn68OPY.crl Ipv4 10.0.0.0/8 AIA: rsync://repository.apnic.net/APNIC/ pvpjvwUeQix2e54X8fGbhmdYMo0/ DLAl5E2IJgSdp2syO9gvEeptpsI SIA: rsync://repository.apnic.net/APNIC/ pvpjvwUeQix2e54X8fGbhmdYMo0/ DLAl5E2IJgSdp2syO9gvEeptpsI zGJyRYzO3n7rcGV_hH-Hmn68OPY

  7. path discovery to TA g(AKI): AAAA TA is defined: g(SKI): AAAA terminate. crldp: URI-A/AAAA.crl TA AIA: URI-A/ SIA: URI-A/ g(AKI): AAAA g(SKI): BBBB Cert, crldp: URI-A/BBBB/BBBB.crl made by TA AIA: URI-A/ SIA: URI-A/BBBB g(AKI): BBBB Cert made g(SKI): CCCC by Cert, crldp: URI-A/BBBB/CCCC/CCCC.crl made by TA AIA: URI-A/BBBB/ SIA: URI-A/BBBB/CCCC

  8. Object-Name model For a CA ● – Your parent’s SKI became your AKI. – Your SKI becomes your children’s AKI Sha1 hash over ASN.1 of public key ● – Extremely low collision risk – g(ski) or g(aki)+<serial> unique for any given CA – g(ski) alone: all re-issues with same public key hash to same location (serials not involved) ● No name change with normal certificate renewal – Public key change == complete namespace rollover (unavoidable) Represented by ‘url friendly’ modified base64 ● representation, <64 chars per cert instance

  9. Hierarchy Implications ● Inter-RIR registration/transfers explicit in repository certificate, naming model ● Clean separation of address-types in hierarchy – Experimental separated from Historical from Current RIR policy from … ● Clean model for independent sub-trees – Provide publication point in RSYNC: URL space – Irrespective of local naming policy, cert identity in repository is deterministic – No risk of collision when uploaded into global repository structure

  10. Modified-Gutmann Alg: g(ski) Use of base64 Specified in rfc4387 ● – Reduces 160-bit sha1 to 27 char Base64 encoding. ● URLs not workable in filestore contexts due to presence of ‘/’ character. ● ‘+’ character interfered with URL parsing I-D.josefsson-rfc3548bis ● – Base64 transform, ‘/’ and ‘+’ replaced by ‘-’ and ‘_’ ● No size increase, URL friendly, filestore friendly – Can be implemented as a post-process on Base64 transform, or as a native function Resulting object names are at least 26 chars long ● – Plus serial (up to 20 chars of HEX) plus syntactic sugar for filename.ext purposes) – Under 64-char limits for older FS (but clearly over 8.3) – Not ‘mandatory' to implement as dir/file store, but useful

  11. Why not certificate names? These are not identity certs ● – No applicability in browsers, webservers, email signing – Identity checks for issuance still required but now local to issuer, no global context ● Unless driven by other needs – Can use ‘shadow cert’ process to derive certificates with apparent name for business purposes Avoids any consideration of entity name collision ● – in certificate namespace, encodings, field choices – directory name model is inherently complex Survivable across future models of address transfer/trading ● “it’s the crypto, not the name which secures” ● – Proof of knowledge of private key authorizes signed outcomes, not the name on the certificate in this model

  12. Operations models ● Authenticated copy – TA must be sourced out-of-band. – Fetch repository via rsync ● Crl from CRLdp of TA ● Repository contents via AIA of TA – Top-down walk to validate all objects published at TA ● Recurse for independent SIA/CRLdp ● Local sub-repository – Requires at LEAST path back to issuing TA to perform validation

  13. Why Rsync? ● Avoid inventing new protocol ● Desireable features – Can fetch single objects, trees – Byte efficient (only differing blocks) – No fetch of unchanged objects ● Downsides – May be expensive on server – Lax formal specification

  14. What do we get? ● Deterministic, simple naming ● Objects always have a known place in hierarchy ● EE certs, CRLs, 'products' nest cleanly inside 'producer' namespace ● Clean separation of certs by delegation (right back to TA == 'root')

  15. Natural hierarchies form TA1 prod(TA1) prod(TA1) prod(TA1) p(p(TA1)) CRL p(p(TA1)) ee(p(p(TA1))) roa(a) roa(b) roa(c)

  16. ...but you inherit multiple TA ISP-A

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Two of many repository structure decisions path length placement of products and

Two of many repository structure decisions path length placement of products and

2009 Perforce User Conference Repository Structure Considerations for Performance Perforce Software Performance Lab Michael Shields, Manager Tim Brazil, Engineer Introduction Two of many repository structure decisions path length

302 views • 17 slides
Staging Package Deployment via Repository Management Chris St. Pierre Matt Hermanson

Staging Package Deployment via Repository Management Chris St. Pierre Matt Hermanson

Staging Package Deployment via Repository Management Chris St. Pierre Matt Hermanson Background (Mostly) homogeneous environment Organizational structure Bcfg2 Our Approach Control what packages are available in the repository

153 views • 12 slides
Certificate IV in Project Management Practice Day 1: Project Initiation Course structure 8-day

Certificate IV in Project Management Practice Day 1: Project Initiation Course structure 8-day

BSB41515 C ERTIFICATE IV IN P ROJECT M ANAGEMENT P RACTICE BSB41515 Certificate IV in Project Management Practice Day 1: Project Initiation Course structure 8-day program Attendance sheet Active participation Assessment portfolio Initiating

829 views • 41 slides
TERENA Certificate Service Milan Sova CESNET Agenda History TCS Structure Procedures

TERENA Certificate Service Milan Sova CESNET Agenda History TCS Structure Procedures

TERENA Certificate Service Milan Sova CESNET Agenda History TCS Structure Procedures Conclusions History pop-up free server certificates History: SCS TERENA Server Certificate Service summer 2004: first idea

176 views • 17 slides
Leaving Certificate Applied ICT Mandatory Course Structure 2 Modules to be completed No

Leaving Certificate Applied ICT Mandatory Course Structure 2 Modules to be completed No

15/05/2013 Leaving Certificate Applied ICT Mandatory Course Structure 2 Modules to be completed No task or final exam for the Introduction to ICT mandatory. 1 15/05/2013 Credit Value Each Module has a value of 2 credits 2

462 views • 16 slides
Fintech Certificate Fintech Certificate Fintech Certificate 2 Investment Case The AtonR

Fintech Certificate Fintech Certificate Fintech Certificate 2 Investment Case The AtonR

Fintech Certificate Fintech Certificate Fintech Certificate 2 Investment Case The AtonR Fintech Index is a long-only, USD-based, actively managed total return index. The pace of innovation in financial technology (Fintech) has been

616 views • 26 slides
Grid Applica+on Meta-Repository - Repository interconnec+vity

Grid Applica+on Meta-Repository - Repository interconnec+vity

Grid Applica+on Meta-Repository - Repository interconnec+vity and cross-domain applica+on usage in distributed compu+ng environments - Alexandru Tudose

389 views • 14 slides
NEO PA/VA system EN 54 -16 Certificate No. 2426-CPR-105 PA/VA System EN 54 -16 Certificate No.

NEO PA/VA system EN 54 -16 Certificate No. 2426-CPR-105 PA/VA System EN 54 -16 Certificate No.

NEO PA/VA system EN 54 -16 Certificate No. 2426-CPR-105 PA/VA System EN 54 -16 Certificate No. 2426-CPR-105 NEO is an innovative Public Address and Voice Alarm system that allows an easy audio installation with just one piece of equipment.

326 views • 7 slides
For student abcdef : the CS619 repository is: https://stsvn.cs.unh.edu/svn/cs619. abcdef

For student abcdef : the CS619 repository is: https://stsvn.cs.unh.edu/svn/cs619. abcdef

Subversion version control system enables collaborative work maintains di ff erent revisions of every file in a given repository any revision can be retrieved from the repository each revision is associated with a timestamp each revision is

254 views • 6 slides
Status of the Repository at Status of the Repository at Yucca Mountain Presented to: DOE-EM

Status of the Repository at Status of the Repository at Yucca Mountain Presented to: DOE-EM

Status of the Repository at Status of the Repository at Yucca Mountain Presented to: DOE-EM Performance Assessment Community of Practice Technical Exchange Meeting Presented by: Dr. Paul R. Dixon Nuclear Waste Program Manager Nuclear Waste

478 views • 19 slides
1 4/3/2015 AMEs In Your Area If You Decide to Renew Your Medical So Whats This Light Sport

1 4/3/2015 AMEs In Your Area If You Decide to Renew Your Medical So Whats This Light Sport

4/3/2015 New Plastic Pilot Certificate So, Where Do I Start? What we will cover today Your old paper certificate is no longer valid. What it takes to be PIC again Google Search: Replacement of Airmen Certificate What has

485 views • 35 slides
Certificate of Recognition Certificate of Recognition - Defined COR is a health and safety

Certificate of Recognition Certificate of Recognition - Defined COR is a health and safety

Certificate of Recognition Certificate of Recognition - Defined COR is a health and safety certification program National standard supported by the Canadian Federation of Construction Safety Association (CFCSA) Aimed at driving

320 views • 10 slides
Certificate of Public Advantage Presentation to the House Select Committee on the Certificate of

Certificate of Public Advantage Presentation to the House Select Committee on the Certificate of

Certificate of Public Advantage Presentation to the House Select Committee on the Certificate of Need Process and Related Hospital Issues Research Division Staff, September 14, 2011 What is a COPA? An agreement among two or more hospitals

201 views • 19 slides
Limited Use Repository Updates Citizens Coordination Council April 18, 2018 Craig Cameron U.S.

Limited Use Repository Updates Citizens Coordination Council April 18, 2018 Craig Cameron U.S.

Bunker Hill Superfund Site: Coeur dAlene Basin Repository Monitoring and Limited Use Repository Updates Citizens Coordination Council April 18, 2018 Craig Cameron U.S. Environmental Protection Agency East Mission Flats Repository Monitoring

146 views • 14 slides
Certificate of Recognition Update February 19, 2016 1 Certificate of Recognition- Defined

Certificate of Recognition Update February 19, 2016 1 Certificate of Recognition- Defined

Certificate of Recognition Update February 19, 2016 1 Certificate of Recognition- Defined COR is a workplace health and safety certification program All Legislative elements require 100% achievement National standard supported by

374 views • 9 slides
Certificate o Certi icate of Presentation Presentation This certificate is issued to Hong Guo,

Certificate o Certi icate of Presentation Presentation This certificate is issued to Hong Guo,

The 18 th International Conference on Electronic Business December 2-6, 2018, Guilin, China CERTIFICATE Certificate o Certi icate of Presentation Presentation This certificate is issued to Hong Guo, Anhui University, China Hong Guo, Anhui

1.04k views • 102 slides
Introduction Paper presentation Ultra-Portable Devices Paper: Viterbi algorithm by

Introduction Paper presentation Ultra-Portable Devices Paper: Viterbi algorithm by

Introduction Paper presentation Ultra-Portable Devices Paper: Viterbi algorithm by analog components (Add-compare- select) C. Winstead, C. Schlegel. Analog Decoding: the State of the Art Fully parallel analog soft iterative

232 views • 4 slides
Slides Product Selection Guide Slide V Series ES TS 1000 GS L LP S Ultra- Power &amp;

Slides Product Selection Guide Slide V Series ES TS 1000 GS L LP S Ultra- Power &amp;

Slides Product Selection Guide Slide V Series ES TS 1000 GS L LP S Ultra- Power &amp; Line Switch Type Tiny Tiny Miniature Miniature Miniature Power miniature Voltage Poles 1 &amp; 2 1 1 &amp; 2 1 1 &amp; 2 1 &amp; 2 1

1.33k views • 116 slides
MAFS6010U Deep Learning Trading Course Project Instruction About us Professor YAO Yuan

MAFS6010U Deep Learning Trading Course Project Instruction About us Professor YAO Yuan

MAFS6010U Deep Learning Trading Course Project Instruction About us Professor YAO Yuan Teaching Assistants: Yifei Huang De Lavergne Cyril Wechat: cdldl24 About Data You are provided with historical minute-level OHLCV data of 4

268 views • 15 slides
How to Handle Globally Distributed QCOW2 Chains? Eyal Moscovici &amp; Amit Abir Oracle-Ravello

How to Handle Globally Distributed QCOW2 Chains? Eyal Moscovici &amp; Amit Abir Oracle-Ravello

How to Handle Globally Distributed QCOW2 Chains? Eyal Moscovici &amp; Amit Abir Oracle-Ravello About Us Eyal Moscovici Amit Abir With Oracle Ravello With Oracle Ravello since 2015 since 2011 Software Engineer in Virtual

336 views • 32 slides
Toward A Metaphysics of Nilpotent Regions Lu Chen University of Massachusetts, Amherst SMS 2019

Toward A Metaphysics of Nilpotent Regions Lu Chen University of Massachusetts, Amherst SMS 2019

Toward A Metaphysics of Nilpotent Regions Lu Chen University of Massachusetts, Amherst SMS 2019 1 / 27 Highlights Goal : Give a realistic interpretation of Smooth Infinitesimal Analysis (SIA) as a theory of space with infinitesimal features.

297 views • 27 slides
Enterprise Platform for Solar and Storage Deployment ENACT Signed Launch with DEWA The Scope of

Enterprise Platform for Solar and Storage Deployment ENACT Signed Launch with DEWA The Scope of

Enterprise Platform for Solar and Storage Deployment ENACT Signed Launch with DEWA The Scope of the Project is to leverage a complete end-to-end software platform for the design, deployment, execution and asset management of

147 views • 3 slides
If this stuff is so great, then why isnt everybody doing it? Harry Foster Chief Verification

If this stuff is so great, then why isnt everybody doing it? Harry Foster Chief Verification

If this stuff is so great, then why isnt everybody doing it? Harry Foster Chief Verification Scientist Functional Verification Technique Adoption An Optimistic View of the Productivity Gap Lets assume Number of transistor doubles

249 views • 6 slides
WELCOME Brisbane Region Meeting 11 June 2019, 347 Ann Street, Brisbane Brisbane Region

WELCOME Brisbane Region Meeting 11 June 2019, 347 Ann Street, Brisbane Brisbane Region

WHSQ Respirable Crystalline Silica &amp; Work Health &amp; Wellbeing T oolkit WELCOME Brisbane Region Meeting 11 June 2019, 347 Ann Street, Brisbane Brisbane Region Representatives Jo Kitney Jane Willis Cameron Caldwell SIA Brisbane

308 views • 27 slides

More recommend