ccsds security working group fall 2015 meeting certificate management 9 november 13 november 2015...
DESCRIPTION
What do we need Structure CCountry STState LCity OOrganizational name OUOrganizational Unit name CNDomain name These data element should be formatted identically to the way W3C PKI structures the “Issuer” element: as a record reflecting the identity of the CA.TRANSCRIPT
CCSDS Security Working GroupFall 2015 Meeting
Certificate Management9 November – 13 November 2015
Darmstadt GermanyCharles Sheehe
NASA/Glenn
Certificate needs• A Structure• A provider• A protocol
What do we needStructure
C CountryST StateL CityO Organizational nameOU Organizational Unit nameCN Domain name
These data element should be formatted identically to the way W3C PKI structures the “Issuer” element: as a record reflecting the identity of the CA.
What do we needStructure continued, 1• Version• Serial Number• Algorithm ID• Validity• Not Before• Not After• Subject Key Info• Key Algorithm• Subject Key• Issuer Unique Identifier• Subject Unique Identifier• Any extensions with defined meanings (optional)
What do we need Structure continued, 2
ROLE The role of the subject in the SANA CA ecosystem. Can take values of CANational CAAgency CADomain CADEVICE CertOPERATOR CertSOFTWARE CertINSTALLER CertEach role will carry particular capabilities to engage in various kinds of communication. For instance, the INSTALLER role will be able to supply device installation metadata to SANA CA. The National CA role will be authorized to engage in National CA-CA and National CA-Agency CA communications.
SANA_ID For a role certificate, this field contains the certification SANA ID
SERIAL_NUM For a multiple end points within an SANA ID.
What do we need Provider and protocol• Certificate management organization
• https://letsencrypt.org/
• Protocol for certificats:• Automatic Certificate Management Environment (ACME)
• draft-barnes-acme-04
Discussion