Certificate and CRL Profile and Public Key Algorithms - PowerPoint PPT Presentation

About This Presentation
Title:

Certificate and CRL Profile and Public Key Algorithms

Description:

... able to constrain the contents of alternative names without ... Constraints permit: c=US,o=XX (none) Cert #3. Issuer c=US,o=XX,cn=CA2. Subject (empty) ... – PowerPoint PPT presentation

Number of Views:54
Avg rating:3.0/5.0
Slides: 11
Provided by: Valued239
Learn more at: https://www.ietf.org
Category:

less

Transcript and Presenter's Notes

Title: Certificate and CRL Profile and Public Key Algorithms


1
Certificate and CRL ProfileandPublic Key
Algorithms
  • Russ Housley Tim Polk
  • Dec. 13, 2000

2
Status
  • New algorithms draft posted in November
  • draft-ietf-pkix-ipki-pkalgs-01.txt
  • Ready for WG Last Call now
  • New son-of-RFC 2459 posted in November
  • draft-ietf-pkix-new-part1-03.txt
  • Son-of-RFC 2459 will be ready for WG Last Call in
    Late January 2001

3
Algorithms
  • It is done
  • However, some people think that it should specify
    a MUST implement certificate and CRL signature
    algorithm

4
Profile Modifications (1 of 2)
  • Recommended support for pseudonym to align with
    QC
  • Support for inhibit any-policy extension now
    required for conforming clients
  • Permit use of subject directory
    attributes extension
  • One new IETF extension
  • subject information access

5
Profile Modifications (2 of 2)
  • Removed public key validity period from the path
    validation algorithm inputs
  • Removed the issuer unique identifier from the
    trust anchor information
  • Aligned policy mapping processing with
    X.509-2000 rules
  • Other minor clarifications

6
Remaining Profile Work
  • More minor clarifications
  • relying party can supply constraints to the
    validation algorithm via inputs, not initial
    state variables
  • CRL DP extension explanation text
  • Finish removal of UIDs from path validation
    algorithm (missed one place)
  • Name constraints

7
Name Constraints
  • The relying party may be interested in using an
    alternative name form, such as the rfc822name
  • The CA MUST be able to constrain the contents of
    alternative names without requiring that all
    certificates in the chain include the
    constrained name form

8
 X.509 and Name Constraints
  • Semantics of excluded subtrees are clear
  • Semantics of permitted subtrees are subject of
    some dispute
  • PKIX Folks permitted subtrees are satisfied by a
    certificate if it contains one or more acceptable
    names
  • X.509 Folks permitted subtrees are satisfied
    when every subsequent certificate contains the
    specified name form and that name is within the
    subtree

9
Name Constraints Example
  • Cert 1 Cert 2
  • Issuer cUS,cnCA1 cUS,oXX,cnCA1
  • Subject cUS,oXX,cnCA1 cUS,oXX,cnCA2
  • Alt Name (none) (none)
  • Constraints permit cUS,oXX (none)
  • Cert 3
  • Issuer cUS,oXX,cnCA2
  • Subject (empty)
  • Alt Name alice_at_xx.com

10
Way Forward
  • Two Alternatives
  • Clarify X.509 so it works for PKIX-style paths
  • Develop new IETF name constraints extension
  • Clearly, the first alternative is preferable
  • Not in our control!
  • How long should we wait?
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Certificate and CRL Profile and Public Key Algorithms" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!