X9.68

1
X9.68

• Efficient Public Key Certificate Systems for
  Mobile Electronic Business

Robert L. Geiger Motorola Labs
2
Goal Business Oriented Public Key Infrastructure

• Mobility mobile terminals, wireless devices,
  satellite systems
• Low bandwidth, limited storage and processing
  power
• High transaction volumes Internet trading and
  commerce
• Risk management business control of business
  systems secure trading communities
• Adaptable to changing business needs

3
Wireless world

• Huge numbers of mobile devices soon to be data
  capable
• Wireless Web being defined by Wireless
  Application Protocol (WAP) Forum
• Need for certificates and public key
  infrastructure to support this environment

4
Domain Concept

• Breaks PKI into autonomous domains
• Compare to an intranet
• Aims for efficiency and business control inside
  domain
• Domains hooked together Contract gt
  cross-certify
• Compare to Internet
• Efficiency gained by size reductions and clear
  system architecture

5
Domain Architecture

• Root CA defines PK system type and algorithms
• Complexity and impact on end entities clearly
  visible
• Domain root has unique identifier by inclusion of
  certificate hash with name
• Local identifiers defined by business needs used
  within domain

6
Domains
Inter-domain (cross-certification)

• Validation services used between domains for
  inter-operation

7
Registration Authorities

• Seen as account manager type functionality
• Multiple RAs per CA/AA allowed
• RA may have different levels of allowed access
• Must have certificate issued from CA allowing
  access may have other requirements

8
Certification Authorities

• Issue domain member (key bearing) certificates
  per requests from valid RAs
• Source point for revocation
• Revocation may be via CRL, online mechanism, or
  time limitations (i.e., pre-payed monthly service
  certificate)

9
Attribute Authorities

• Handle issuing of account rights/properties that
  may change frequently (e.g., monthly purchased
  services)
• May be CA or separate entity
• Functionality kept simple, very small certs
• May issue limited validity (i.e., monthly)
  attribute certificates with no revocation
  requirements

10
X9.68 Certificate Attributes

• Bound to domain member certificate by domain
  local identifier can be many small certificates
• Simple as possible, must be length bounded
• Business use case to be in X9.68 base
• Can be inheritable (rights, group properties) or
  non-inheritable (personal properties)
• Domains and organizations may define other types
  (organizational and domain types)

11
X9.68 Attributes...

• A domain member may have multiple attributes,
  possibly from different AAs
• Wireless Application Protocol will define
  organization specific payloads for its use cases
• Idea is interested standards organizations should
  define their payloads
• Keep complex payloads to your domain!

12
X9.68 Usage communities

• Tie domain to a community i.e., stock traders,
  construction industry, doctors
• Each community enrolls members and allows for
  secure, authenticated interaction between members
• Communities make agreements for interaction
  (cross-certification)
• Hook like minded communities up to form special
  nets for business interaction

13
X9.68 communities

• Communities defined by similar
• businesses or interests
• Nets defined by communities interacting to do
  business
• Trading, buying, selling, offering allsecured
  within and between communities

14
Size Reductions Key Certificate

• Example used 160 bit uncompressed EC keys, DER
  encoding, same information
• X9.68 certificate saves gt 50 over minimal X509v3
  with DNs
• X9.68 certificate saves gt 30 over X509v3
  modified by nulling DNs and making some items
  optional

15
Issues

• Naming schemes for defined business usage
• identification and name issues
• Vendor interoperability
• Protocols to support inter-domain operation
  (X9.68 defined cross-certificate format but not
  protocols)
• Protocols for validation services for mobile
  devices (X9.68 defines message validation message
  formats but not protocol)