CRL Processing Rules. Santosh Chokhani March

Similar documents
A General, Flexible Approach to Certificate Revocation Dr. Carlisle Adams & Dr. Robert Zuccherato Entrust, Inc.

Example: Revocation Reasons in X.509. Certificate revocation. How to authenticate public keys. Chapter 7 A with certificates.

FINA QUALIFIED TIME-STAMPING PRACTICE STATEMENT

The Safety Case. The safety case

The Safety Case. Structure of Safety Cases Safety Argument Notation

Module 3 Developing Timing Plans for Efficient Intersection Operations During Moderate Traffic Volume Conditions

Reliability of Safety-Critical Systems Chapter 4. Testing and Maintenance

CEPA Initiative: Response Time Guideline 2015 EMERGENCY SECURITY MANAGEMENT WORK GROUP

CS 4649/7649 Robot Intelligence: Planning

SANTA BARBARA COUNTY AIR POLLUTION CONTROL DISTRICT POLICIES AND PROCEDURES. Policy No Draft Div Pol Yr

Critical Systems Validation

CS 351 Design of Large Programs Zombie House

S T A T E O F M I C H I G A N BOARD OF COMMISSIONERS OF THE COUNTY OF ALLEGAN. January 14, 2010 EMERGENCY MANAGEMENT APPROVE EMERGENCY OPERATIONS PLAN

Safety assessments for Aerodromes (Chapter 3 of the PANS-Aerodromes, 1 st ed)

Adaptability and Fault Tolerance

Iteration: while, for, do while, Reading Input with Sentinels and User-defined Functions

CONTINUING REVIEW 3/7/2016

Simplicity to Control Complexity. Based on Slides by Professor Lui Sha

1.0 PURPOSE 2.0 REFERENCES

Purpose. Scope. Process flow OPERATING PROCEDURE 07: HAZARD LOG MANAGEMENT

Better Search Improved Uninformed Search CIS 32

Proposed Bicycle Ambassador Program. Transportation Enhancement Funding Application

Redesign of the International Timetabling Process (TTR) Ljubljana, 19 February 2019

The Scrum Guide. The Definitive Guide to Scrum: The Rules of the Game. July Developed and sustained by Ken Schwaber and Jeff Sutherland

Debenture Servicing Audit

Search I. Tuomas Sandholm Carnegie Mellon University Computer Science Department. [Read Russell & Norvig Chapter 3]

PositionMaster EDP300 Extended Diagnostics. Compact, well-proven, and flexible

Applying Bi-objective Shortest Path Methods to Model Cycle Route-choice

Provider ICD 10 Compliant Release A S K E S I S W E B I N A R F E B R U A R Y 1 9,

FedRAMP Plan of Actions and Milestones (POA&M) Template Completion Guide. Version 2.0

Duties of WAH Competent Persons

NOVA SCOTIA DRILL COMPETITIONS. Revision Date : Sep. 28, 2002 Royal Canadian Air Cadets Drill Competition 1

Distributed Systems [Fall 2013]

PROCESS FOR CONSIDERATION FOR EXCEPTIONAL 12 YEAR OLD MALE HOCKEY PLAYER STATUS

York Scarborough Bridge Economic Appraisal Update Technical Note

Procedures for operation of the TA Instruments DSC

CONTINUITY OF SERVICE PLAN FOR THE LRIT SYSTEM

Solenoid Valves used in Safety Instrumented Systems

Agile & Lean Education Associates. The Daily Scrum. by Richard Dick Carlson. Copyright 2014, Richard Carlson; All Rights Reserved 1

TRAFFIC IMPACT STUDY CRITERIA

Unit 5: Prioritize and Manage Hazards and Risks STUDENT GUIDE

BSR GPTC Z TR GM References and Reporting Page 1 of 8

Committee on NFPA 85

Avoiding Short Term Overheat Failures of Recovery Boiler Superheater Tubes

Uninformed search methods

Uninformed Search (Ch )

SAC 047 SSAC Comment on the ICANN gtld Registry Transition Processes Model

FedRAMP Continuous Monitoring Performance Management Guide. Version 2.0

MSC Guidelines for Review of Rigging Systems for Sailing Vessels

PSM I PROFESSIONAL SCRUM MASTER

Legendre et al Appendices and Supplements, p. 1

Quality Planning for Software Development

High usability and simple configuration or extensive additional functions the choice between Airlock Login or Airlock IAM is yours!

PRACTICAL EXAMPLES ON CSM-RA

Standard Operating Policy and Procedures (SOPP) 3:

IST-203 Online DCS Migration Tool. Product presentation

Creative Commons License Attribution

Surge suppressor To perform its intended functions, an AEI site must have the components listed above and shown in Fig. 4.1.

The Role of Steele Athletics Staff:

CHAPTER 1 INTRODUCTION TO RELIABILITY

D-Case Modeling Guide for Target System

Scrum Portfolio jumshat.com

Who takes the driver seat for ISO and DO 254 verification?

SAN FRANCISCO MUNICIPAL TRANSPORTATION AGENCY BOARD OF DIRECTORS. RESOLUTION No

Global Certifying Authority for Scrum and Agile Professionals

In station areas, new pedestrian links can increase network connectivity and provide direct access to stations.

Global Certifying Authority for Scrum and Agile Professionals. Authorized Training Partner

Problem Solving as Search - I

ORF 201 Computer Methods in Problem Solving. Final Project: Dynamic Programming Optimal Sailing Strategies

AutonoVi-Sim: Modular Autonomous Vehicle Simulation Platform Supporting Diverse Vehicle Models, Sensor Configuration, and Traffic Conditions

EMORY CIVIL RIGHTS AND LIBERTIES MOOT COURT COMPETITION FALL 2018 COMPETITION RULES

Federal Aviation Administration Safety & Human Factors Analysis of a Wake Vortex Mitigation Display System

Transformational Safety Leadership. By Stanley Jules

Review of Research by the Convened IRB

Contractor/Visitor Safety Orientation UNBC

The Scrum Guide. The Definitive Guide to Scrum: The Rules of the Game. October Developed and sustained by Ken Schwaber and Jeff Sutherland

Policy for Evaluation of Certification Maintenance Requirements

Helicopter Safety Recommendation Summary for Small Operators

Abstract Currently there is a growing interest in the evolutionary algorithm paradigm, as it promises a robust and general search technique. Still, in

DEPARTMENT OF THE NAVY DIVISION NEWPORT OFFICE OF COUNSEL PHONE: FAX: DSN:

Assessing Combined Assurance

LISP-DDT implementation status and deployment considerations

Test Refresh: Timeline & FAQs

June 13, Dear Sir,

The City has been approached by several individuals about the destruction of their fruits and vegetables.

NATIONAL COMPUTER SECURITY CENTER TRUSTED DATABASE MANAGEMENT SYSTEM INTERPRETATION

FIRE PROTECTION. In fact, hydraulic modeling allows for infinite what if scenarios including:

The IEC61508 Project Manager's & Project Engineer's hymn sheet

Problem Solving Agents

CAVING REGISTRATION LEVELS AND ASSESSMENT REQUIREMENTS

Well-formed Dependency and Open-loop Safety. Based on Slides by Professor Lui Sha

Literature Review: Final

Virtual Breadboarding. John Vangelov Ford Motor Company

Flyweight Pattern. Flyweight: Intent. Use sharing to support large numbers of fine-grained objects efficiently. CSIE Department, NTUT Chien-Hung Liu

CSE 3402: Intro to Artificial Intelligence Uninformed Search II

IMCA Competence Assessment Portfolio June 2013

MILTON ROAD LLF PROJECT UPDATE

Amendment 80 Non-AFA Trawl Gear Catcher/Processor

PC-based systems ELOP II-NT

CSC242: Intro to AI. Lecture 21

Transcription:

CRL Processing Rules Santosh Chokhani March 17 2005

Historical Timeline Issues and Resolution Briefing Contents Summary of Recommended Editorial Changes to RFC 3280 and RFC 2560, and X.509 Path Matching Algorithm Backup Slides 2

Historical Timeline 3 DoD PKI motivates development of CRL Processing Rules (1997-98) Rules submitted to X.509 Editor (1998-99) X.509 accepted Input as Normative Annex (1999) RFC 3280 uses the Annex to define CRL Processing Rules (??) (2002) Issue of some CA products not asserting IDP for partial CRL comes to light (2002) Three discussion threads on PKIX on the issue of similarity of certificate Certification Path and CRL Certification Path (2002-04)

Issues and Resolution What identifies a CA: name only or name + key? What does absence of IDP mean? How to ensure a CRL is from a CRL Issuer as intended by the certificate issuing CA? Should circularity be permitted during revocation status checking? 4

What identifies A CA Issue For certificates and CRL processing logic, is a CA defined by name only or by name and a signing private key/signature verification public key Resolution A CA is identified by name alone Basis Numerous places in X.509 and RFC 3280 Section 7 of X.509 Recommendation Add a statement to RFC 3280 that a CA is identified by name 5

What Does Absence of IDP in a CRL Mean Issue What does absence of IDP in a CRL mean for the scope of that CRL Resolution Absence of DP in IDP means that the CRL is complete for the scope implied by the presence or absence of other fields in the IDP for the CRL Issuer Corollary: Absence of IDP in a CRL means that CRL is complete for all certificates issued by the CA Basis IDP extension description in RFC 3280 IDP extension description in X.509 CRL processing rules in RFC 3280 CRL processing rules in X.509 (Annex B) Recommendations No change 6

How to Ensure CRL is from the Correct CRL Issuer Issue How to ensure a CRL is from a CRL Issuer as intended by the certificate issuing CA Resolution If the CRL and certificate to validate are signed by the same key and the Issuer name in certificate = Issuer Name in CRL, done Else use the algorithm defined next Basis Need to ensure that the CRL obtained was issued by a CRL Issuer that the certificate issuer intended Need to account for multiple CAs with the same name Recommendations Add the text to 3280 Text already recommended for X.509 7

Path Matching Algorithm: Motivation 8 There can be more than one CA with the same name If the certificate and CRL are signed using different keys, how do you know if these are two different CAs or the same CA is using different key Different keys can be used due to having different certificate and CRL signing keys or due to CA re-key Starting with a TA, the relying party can match the CA names in the certificate and CRL certification paths Assumes that a CA will not certify two distinct CAs with the same name

Path Matching Algorithm: Assumption For indirect CRL, we have some choices to define the algorithm State that specification does not address it Make one of the following trust assumptions Assume that Indirect CRL Issuer is issued a certificate by the certificate issuer Assume that the indirect CRL issuer is one of the ancestors Assume that the indirect CRL issuer is issued a certificate by one of the ancestors (selected appears to be most flexible) Assume that the indirect CRL issuer is one of the ancestors or issued a certificate by the trust anchor ((selected appears to be most flexible) 9

10 Path Matching Algorithm: Initialization One Develop certificate certification path Develop a list of (certpath-subject 0 ) (certpathissuer 1, certpath-subject 1 ) (certpath-issuer 2, certpath-subject 2 ) etc., where certpathsubject 0 is the trust anchor DN and item (certpath-issuer i, certpath-subject i ) is the issuer and subject DNs from the i th certificate Delete all entries i, where certpath-issuer i = certpath-subject i Get rid of self-issued certificates Renumber the entries to 1 through N cert

11 Path Matching Algorithm: Initialization Two Develop CRL certification path Develop a list of (CRLpath-subject 0 ) (CRLpathissuer 1, CRLpath-subject 1 ) (CRLpath-issuer 2, CRLpath-subject 2 ) etc., where CRLpathsubject 0 is the trust anchor DN and item (CRLpath-issuer i, CRLpath-subject i ) is the issuer and subject DNs from the i th certificate Delete all entries i, where CRLpath-issuer i = CRLpath-subject i Get rid of self-issued certificates Renumber the entries to 1 through N CRL

Path Matching Algorithm: Initialization Three If certpath-issuer Ncert = CRLpath-subject NCRL verify that N cert = N CRL + 1 For direct CRL, the CRL certification path is one less than certificate certification path If certpath-issuer Ncert CRLpath-subject NCRL, set N CRL = N CRL -1 For indirect CRL, the CRL issuer may or may not be in the certificate certification path Verify that N CRL < N cert N cert = N cert -1 Ignore the end entity certificate for the match Set j = 1 Set iteration count Set N = Min (N CRl,N cert ) Set number of DNs to match 12

Path Matching Algorithm: Path Names Matching Logic Verify certpath-subject 0 = CRLpath-subject 0 Match the trust anchor DNs Do while j N Verify certpath-issuer j = CRLpath-issuer j Verify certpath-subject j = CRLpath-subject j Enddo 13

Path Matching Algorithm: CRL Issuer Name Matching Logic Verify that the Subject DN in the last certificate in the CRL certification path = Issuer Name in the CRL Apply RFC 3280 Section 6.3 logic You still need to apply all certification path validation rules to the CRL certification path 14

Benefits Mitigates Threats: Microsoft Orion CA Chokhani (#10 compromised) VeriSign Orion CA (not the same) CRL (does not have number 10 Room for mischief or honest error Efficiency in path development for CRL 15

Path Matching Algorithm: Epilogue One way to achieve some of the requirements is to use the requirement to guide the certification path building for CRL This obviates the need for extra logic and makes the CRL certification path development efficient Algorithm presented can be optimized for computational complexity and code foot print Some checks are redundant They are listed here to provide a modular and easy to understand algorithm 16

IETF PKIX November Meeting 3280 Editors Response: Common TA solves 80% of problem Problems with Editors View Hopefully TA does not mean the same key, but simply the same DN (TA could also re-key) 3280 and X.509 are trust model neutral; they do not even recommend using name constraints Reticence of 3280 authors unclear given that the logic presented can ensure security and help with performance by finding the CRL path extremely efficiently 17

Other CRL Processing Related Points Keep in mind, you always have the CRL before you build the path to it You can build the CRL certification path using issuer, subject pairs from the certificate certification path Can be used to build the path in either direction (TA to CRL Issuer or CRL Issuer to TA) You can use AKID in the CRL to select the CRL Issuer certificate 18

Alternative Extension to CRL Path Matching Algorithm: Motivation In lieu of path matching algorithm presented, one can determine if the CRL is from the same CA as the certificate issuer, if CRL contains keys or hash of keys used by the CA to sign certificates; and Certificate in question is signed using one of the keys or key hashes asserted (enumerated) in the CRL by the CA claiming to be certificate signing keys Enhance cryptographic binding between the CRL signing key and certificate signing key 19

20 Alternative Extension to CRL Path Matching Algorithm A CRL entry extension could be defined that contains the hash of the certificate issuer subjectpublickeyinfo A CRL extension could be defined containing SEQUENCE of hashes of the certificate issuer subjectpublickeyinfo SET may be better from the point of view of matching efficiency If the Issuer certificate signing key hash matches any of these values, the CRL is from the same CA as the certificate Useful for OCSP Responders IDP still defines the scope The assumption that a CA will not be an indirect CRL Issuer for another CA with the same name is reasonable Still need to discover CRL path

Problem of Locating CRL Signer Certificate: Direct CRL Example Assumption: Relying party can not access a directory/repository Old Key TA CA 1 CA 2 How to find this certificate New Key CRL CA 2 Certificate 21

Problem of Locating CRL Signer Certificate: Indirect CRL Example Assumption: Relying party can not access a directory/repository TA CA 1 CA 2 How to find this certificate CAI CRL Certificate 22

23 Solution: AIA Extension in CRL Solution originator: Stefan Put a non-critical AIA extension in the CRL CRL can be used to locate the CRL signer certificate Requires minor revision to RFC 3280 description of AIA Replace CA with authority Make appropriate changes to attribute type for DAP access Opportunity to clarify the format of AIA target (certificate or p7 file)

Circularity in Revocation Checking: CRL TA CA 1 CA 2 CRL CA 2 24

Circularity in Revocation Checking: OCSP Compromised TA CA OCSP Responder Rogue OCSP Responder CA Revocation Status 25 Issue for Local Policy Product Behavior

Circularity in Revocation Checking 26 Issue What if a certificate whose revocation status is being checked is in the path to verify the signature on the CRL or OCSP response for that same certificate o Can occur with self-issued certificates o Can occur when an OCSP Responder covers all certificates in a PKI Domain Resolution Provide some guidance in the Security Consideration section of RFC 3280 and RFC 2560 Basis Checking the revocation status of a certificate via a revocation information whose signature is verified using a certification path involving the very same certificate causes chicken and egg problem o Validating path requires certificate status o Obtaining certificate status requires validated path Recommendations Add text from slide 22 to Security Considerations Section in RFC 3280 Add text from slide 23 to Security Considerations Section in RFC 2560

Alternatives for CRL 27 1. Say nothing 2. Clarify that a CA is supposed to request revocation of all certificates issued to it when a key associated with self-issued certificate requires revocation 3. Use no-check extension in self-issued certificates 4. Transition from 2 to 3 5. Say something in Security Considerations (selected in order to make no changes to the standard)

Alternatives for OCSP Say something in security consideration section Revise 2560 for client processing rules to detect circularity 28

29 Text for RFC 3280 Security Consideration Section Revocation status of a certificate must not be checked using a CRL whose signature validation requires that same certificate in the certification path. For example, this may occur in self-issued certificates for key roll over or when a CA issues itself a certificate for CRL signing. A simple way to avoid this for key roll over certificates is to sign two CRLs (one using the old key and another using the new key). A simple way to avoid this for CRL signing key is to have the parent CA issue two certificates or if the CA is a trust anchor, promulgate two trust anchors.

Text for RFC 2560 Security Consideration Section Revocation status of a certificate must not be checked using an OCSP Response whose signature validation requires that same certificate in the certification path. 30

31 Questions

Matching IDP in CRL and CRL Distribution Point in Certificate CRL with IDP Absent Certificate CRL with IDP DP = NULL Partitioned CRL by Reason Code and or Certificate Type Partitioned CRL CRL with IDP DP in IDP = DP in CRL DP 32

List of Acronyms and Abbreviations CA Certification Authority CRL Certificate Revocation List CRL DP CRL Distribution Point DN Distinguished Name IDP Issuing Distribution Point OCSP Online Certificate Status Protocol PKI Public Key Infrastructure RFC Request for Comment TA Trust Anchor 33

2024 © sportdocbox.com Privacy Policy | Terms of Service | Feedback