Use%20of%20AIA%20for%20Attribute%20Certificates

1
Use of AIA for Attribute Certificates

• d.w.chadwick_at_kent.ac.uk

2
Background

• X.509 (2009) working on PMI interworking between
  domains
• Defining several new AC extensions for role
  mappings, attribute hierarchies etc.
• Needs an extension to point to the superior in a
  PMI delegation chain
• AIA is the obvious choice, and this is being used
  by VOMS in the grid world
• Last ITU-T meeting in Jeju (May 2006) issued a
  liaison statement to PKIX group asking if AIA can
  be used for ACs

3
Verifying Claimed Privilege
Bill
SOA
Bills Public Key
Issues AC to
Alices Public Key
Alice
AA
Signs
Root CA
Issues AC to
Bobs Public Key
Bob
Holder
Issues signed command to
Checks delegation of privileges Checks all
signatures Checks privilege is sufficient
Privilege Verifier (RP)
4
Two types of trust chain need to be followed from
a presented AC

• PKI chain of public key certificates from signer
  of an AC to a root CA (trust anchor)
• Bobs AC ? Alices PKC ? Root CA
• PMI chain of attribute certificates from holder
  of an AC to Source of Authority (SoA)
• Bobs AC ? Alices AC ? Bill SoA

5
Extensions to support trust chains

• We can use Authority Key Identifier inside
  holders AC to point to PKC of AC issuer
• AKI will point to Alices PKC, and off we go
  using existing PKI rules
• We want to use Authority Information Access
  inside a holders AC to point to AC of AC issuer
• AIA will point to Alices AC

6
What are the problems with the latest AIA
3280bis-4 text?

• Quote The authority information access extension
  indicates how to access information and services
  for the issuer of the certificate in which the
  extension appears ? EXCELLENT
• BUT
• Quote This extension may be included in end
  entity or CA certificates
• Q. Does this exclude ACs?? Stephen thinks not.?
• Quote The id-ad-caIssuers OID is used when the
  additional information lists certificates that
  were issued to the CA that issued the certificate
  containing this extension
• Problem. The access method is specifically
  focussed on CA certificates and does not allow it
  to be used to point to ACs

7
Resolution

• Either
• We define a new access method, id-ad-aaIssuers
  identical to the current one in syntax, but with
  a different name, OID and descriptive text
• Or
• We modify the existing access method by calling
  it id-ad-issuers and change the current text from
• The id-ad-caIssuers OID is used when the
  additional information lists certificates that
  were issued to the CA that issued the certificate
  containing this extension to
• When the id-ad-issuers OID is used, the
  additional information lists certificates that
  were issued to the CA that issued the certificate
  containing this extension
• And change all occurrences of id-ad-caIssuers to
  id-ad-issuers
• We can then write appropriate text for
  id-ad-issuers when it occurs in ACs