europki antonio lioy politecnico di torino dip. automatica e informatica
TRANSCRIPT
![Page 1: EuroPKI Antonio Lioy Politecnico di Torino Dip. Automatica e Informatica](https://reader035.vdocument.in/reader035/viewer/2022062314/56649eab5503460f94bb098a/html5/thumbnails/1.jpg)
EuroPKIEuroPKI
Antonio Lioy
< lioy @ polito.it >
Politecnico di Torino
Dip. Automatica e Informatica
![Page 2: EuroPKI Antonio Lioy Politecnico di Torino Dip. Automatica e Informatica](https://reader035.vdocument.in/reader035/viewer/2022062314/56649eab5503460f94bb098a/html5/thumbnails/2.jpg)
secureWeb
securee-mail
secureremoteaccess
secureVPN
secureDNS
X.509certificate
The Copernican revolution
Win2000security
secureboot
no viruses& Trojan horses
IPsecurity
role-basedsecurity
![Page 3: EuroPKI Antonio Lioy Politecnico di Torino Dip. Automatica e Informatica](https://reader035.vdocument.in/reader035/viewer/2022062314/56649eab5503460f94bb098a/html5/thumbnails/3.jpg)
The actual (Ptolemaic) poor situation
pwd (ISP)
POPweb
login
pwd (univ.)
DBMSSSH (univ.)
loginfiletransfer
PKI (X)
S/MIMEweb
![Page 4: EuroPKI Antonio Lioy Politecnico di Torino Dip. Automatica e Informatica](https://reader035.vdocument.in/reader035/viewer/2022062314/56649eab5503460f94bb098a/html5/thumbnails/4.jpg)
What is EuroPKI?
EuroPKI is a spontaneous aggregation of certification authorities that share the vision of setting-up a pan-European PKI to support the deployment of effective interoperable network security techniques.
EuroPKI is a spontaneous aggregation of certification authorities that share the vision of setting-up a pan-European PKI to support the deployment of effective interoperable network security techniques.
![Page 5: EuroPKI Antonio Lioy Politecnico di Torino Dip. Automatica e Informatica](https://reader035.vdocument.in/reader035/viewer/2022062314/56649eab5503460f94bb098a/html5/thumbnails/5.jpg)
Background
ICE-TEL project (1997-1998) ICE-CAR project (1999-2000) various national projects (1996-2000)
since January 1, 2000: EuroPKI
![Page 6: EuroPKI Antonio Lioy Politecnico di Torino Dip. Automatica e Informatica](https://reader035.vdocument.in/reader035/viewer/2022062314/56649eab5503460f94bb098a/html5/thumbnails/6.jpg)
EuroPKI
EuroPKI TLCA
Politecnico diTorino CA
City ofRome CA
people servers
EETIC CA
EuroPKISlovenia
EuroPKIItaly
EuroPKIAustria
![Page 7: EuroPKI Antonio Lioy Politecnico di Torino Dip. Automatica e Informatica](https://reader035.vdocument.in/reader035/viewer/2022062314/56649eab5503460f94bb098a/html5/thumbnails/7.jpg)
Costituency
root + AT (IAIK) IE (TCD) IT (POLITO)
Italian tree, with 4 City Halls integration with the Italian identity chip-card
SI (IJS) Slovenian tree
UK (UCL)
![Page 8: EuroPKI Antonio Lioy Politecnico di Torino Dip. Automatica e Informatica](https://reader035.vdocument.in/reader035/viewer/2022062314/56649eab5503460f94bb098a/html5/thumbnails/8.jpg)
Prospective partners
there have been talks within the TERENA PKI-coord task force
expressions of interest from: Surfnet (NL) Rediris (ES) Thessaloniki Univ. (GR) Garr (IT)
![Page 9: EuroPKI Antonio Lioy Politecnico di Torino Dip. Automatica e Informatica](https://reader035.vdocument.in/reader035/viewer/2022062314/56649eab5503460f94bb098a/html5/thumbnails/9.jpg)
Why a hierarchy?
it’s the only solution that works now for most applications (especially COTS)
EuroPKI might move to other schemas (e.g., cross-certification, bridge) if and when applications will be available
![Page 10: EuroPKI Antonio Lioy Politecnico di Torino Dip. Automatica e Informatica](https://reader035.vdocument.in/reader035/viewer/2022062314/56649eab5503460f94bb098a/html5/thumbnails/10.jpg)
EuroPKI services
EuroPKI is not “selling” services although it provides: certification revocation publication data and cert validation
aggregation point for: competence centre coordination
![Page 11: EuroPKI Antonio Lioy Politecnico di Torino Dip. Automatica e Informatica](https://reader035.vdocument.in/reader035/viewer/2022062314/56649eab5503460f94bb098a/html5/thumbnails/11.jpg)
Certification
X.509v3 certificates
global CP (Certification Policy)
local CPS (Certification Practice Statement)
![Page 12: EuroPKI Antonio Lioy Politecnico di Torino Dip. Automatica e Informatica](https://reader035.vdocument.in/reader035/viewer/2022062314/56649eab5503460f94bb098a/html5/thumbnails/12.jpg)
Certification policy
current draft: 28 pages based on RFC-2527 (with extensions)
basic idea: be as little restrictive as possible to allow
anybody to join ... ... while retaining a level of security
useful for practical applications
![Page 13: EuroPKI Antonio Lioy Politecnico di Torino Dip. Automatica e Informatica](https://reader035.vdocument.in/reader035/viewer/2022062314/56649eab5503460f94bb098a/html5/thumbnails/13.jpg)
Strong CP requirements
personal identification of the subject
secure management of the CA
periodic publication of CRL
![Page 14: EuroPKI Antonio Lioy Politecnico di Torino Dip. Automatica e Informatica](https://reader035.vdocument.in/reader035/viewer/2022062314/56649eab5503460f94bb098a/html5/thumbnails/14.jpg)
Applications supported
Web: SSL/TLS signed applets
SSL-based applications: telnet, FTP, SMTP, POP, IMAP, ...
e-mail and secure documents: S/MIME, PKCS-7, CMS, …
IPsec (also on routers via SCEP) (looking into secure DNS)
![Page 15: EuroPKI Antonio Lioy Politecnico di Torino Dip. Automatica e Informatica](https://reader035.vdocument.in/reader035/viewer/2022062314/56649eab5503460f94bb098a/html5/thumbnails/15.jpg)
Publication
certificates and CRLs
Web servers: for humans
directory server: for applications LDAP (local) directories X.500 (global) directory X.521 schema
![Page 16: EuroPKI Antonio Lioy Politecnico di Torino Dip. Automatica e Informatica](https://reader035.vdocument.in/reader035/viewer/2022062314/56649eab5503460f94bb098a/html5/thumbnails/16.jpg)
Revocation CRL (Certificate Revocation List)
cumulative list of revoked certificates issued periodically updated as needed
OCSP (On-Line Certificate Status Protocol): “is this cert valid now?” unknown, valid, invalid
![Page 17: EuroPKI Antonio Lioy Politecnico di Torino Dip. Automatica e Informatica](https://reader035.vdocument.in/reader035/viewer/2022062314/56649eab5503460f94bb098a/html5/thumbnails/17.jpg)
Time-stamping
proof of data existence at a given date IETF-PKIX-TSP-draft-14 TSP server (Win32, Unix) TSP client (cmd-line, GUI only for Win32)
TSP server
![Page 18: EuroPKI Antonio Lioy Politecnico di Torino Dip. Automatica e Informatica](https://reader035.vdocument.in/reader035/viewer/2022062314/56649eab5503460f94bb098a/html5/thumbnails/18.jpg)
OCSP
OCSP server (Unix, Win32) automatic CRL collection from several Cas OCSP library + cmd-line client (Unix, NT)
OCSPserver
CRL
CRLOCSP(embedded)
client
![Page 19: EuroPKI Antonio Lioy Politecnico di Torino Dip. Automatica e Informatica](https://reader035.vdocument.in/reader035/viewer/2022062314/56649eab5503460f94bb098a/html5/thumbnails/19.jpg)
SSL-telnet, SSL-ftp
SSL channel server authentication client authentication can supplement or
replace passwords server for Unix and Win32 (FTP only) client for Unix (cmd-line) and Win32 (GUI)
SSL-x serverSSL-x client LDAP, OCSP
![Page 20: EuroPKI Antonio Lioy Politecnico di Torino Dip. Automatica e Informatica](https://reader035.vdocument.in/reader035/viewer/2022062314/56649eab5503460f94bb098a/html5/thumbnails/20.jpg)
Authentication or authorization?
most of the problems are trust-related often this is due to the wrong and
unnecessary coupling of authentication with authorization
we need to cut this node: authenticate only once and globally authorization on a local basis, with local
control
![Page 21: EuroPKI Antonio Lioy Politecnico di Torino Dip. Automatica e Informatica](https://reader035.vdocument.in/reader035/viewer/2022062314/56649eab5503460f94bb098a/html5/thumbnails/21.jpg)
Attributes / roles / permissions …
where shouldI put additional
infos relatedto a certificate?
in a directory, orin an attribute certificatein a directory, orin an attribute certificate
inside the certificate, in orderto keep all data togetherinside the certificate, in orderto keep all data together
![Page 22: EuroPKI Antonio Lioy Politecnico di Torino Dip. Automatica e Informatica](https://reader035.vdocument.in/reader035/viewer/2022062314/56649eab5503460f94bb098a/html5/thumbnails/22.jpg)
Next steps
European digital signature law: qualified certificates voluntary accreditation
support for other EC projects: NASTEC (PKI-based secure IS; PKI at least
for Poland and Romania) TESI (CDSA-based security middleware)
![Page 23: EuroPKI Antonio Lioy Politecnico di Torino Dip. Automatica e Informatica](https://reader035.vdocument.in/reader035/viewer/2022062314/56649eab5503460f94bb098a/html5/thumbnails/23.jpg)
On-going technical work
cleanly separate authentication and authorization (local file, LDAP, AC, …)
DNS as a repository, DNSsec automatic policy negotiation (L3 … L7):
policy description (XML-based language) policy negotiation (ISPP) policy compliance (enforcement gateway)
integration with Win2000: LDAP IPsec DNSsec
![Page 24: EuroPKI Antonio Lioy Politecnico di Torino Dip. Automatica e Informatica](https://reader035.vdocument.in/reader035/viewer/2022062314/56649eab5503460f94bb098a/html5/thumbnails/24.jpg)
Future
I have a dream ...
... a pan-europeanopen and public PKIto enable network security
who is interested?
EuroPKI?