certificate repository structure
play

Certificate Repository Structure - PowerPoint PPT Presentation

Oct 28, 2023 •145 likes •320 views

Certificate Repository Structure draft-huston-sidr-repos-struct-00.txt Basic Model 'named objects make other named objects' Natural parent-child relationship in process Follow the hierarchy Nodes (ie directories) and Objects

  1. Certificate Repository Structure draft-huston-sidr-repos-struct-00.txt

  2. Basic Model ● 'named objects make other named objects' – Natural parent-child relationship in process ● Follow the hierarchy – Nodes (ie directories) and Objects (files) – Information management advantages ● Local sub-trees can be independently managed ● ‘what made me’ & ‘what do I make’ easy to find/combine into global information base ● Use g(AKI) and g(SKI) for names, CRL, '*IA' – Algorithmic naming, not real-entity. Tied to public key of certificate ● (very low) risk of hash collision ● Avoids ‘real world name’ politics

  3. Hierarchy model ● Rooted at each Trust Anchor (TA) – Trust anchor self signed – In repository name model, AKI == SKI – (don’t just trust self-signed or AKI==SKI, TA must be externally defined to be valid) ● For each certificate issued – Sub-dir at ‘node level’ (for products of certificate) named by SKI of certificate. Sub-dir contents: ● produced certs, CRL (for CA certs) ● Signed objects (for EE certs) – Name structure stable across certificate re-issuance ● if public key remains constant.

  4. Trust Anchors (self-reference) Canonical file name: pvpjvwUeQix2e54X8fGbhmdYMo0-2F.cer serial: 2F g(AKI): pvpjvwUeQix2e54X8fGbhmdYMo0 g(SKI): pvpjvwUeQix2e54X8fGbhmdYMo0 CRLdp: rsync://repository.apnic.net/APNIC/ pvpjvwUeQix2e54X8fGbhmdYMo0/ Trust Anchor pvpjvwUeQix2e54X8fGbhmdYMo0.crl Ipv4 10.0.0.0/8 AIA: rsync://repository.apnic.net/APNIC/ 192.168.0.0/16 pvpjvwUeQix2e54X8fGbhmdYMo0 SIA: rsync://repository.apnic.net/APNIC/ pvpjvwUeQix2e54X8fGbhmdYMo0

  5. Products of TA Canonical file name: DLAl5E2IJgSdp2syO9gvEeptpsI-51.cer serial: 51 g(AKI): pvpjvwUeQix2e54X8fGbhmdYMo0 g(SKI): DLAl5E2IJgSdp2syO9gvEeptpsI CRLdp: rsync://repository.apnic.net/APNIC/ pvpjvwUeQix2e54X8fGbhmdYMo0/ Cert made by TA DLAl5E2IJgSdp2syO9gvEeptpsI/ DLAl5E2IJgSdp2syO9gvEeptpsI.crl Ipv4 10.0.0.0/8 192.168.0.0/16 AIA: rsync://repository.apnic.net/APNIC/ pvpjvwUeQix2e54X8fGbhmdYMo0 SIA: rsync://repository.apnic.net/APNIC/ pvpjvwUeQix2e54X8fGbhmdYMo0/ DLAl5E2IJgSdp2syO9gvEeptpsI

  6. Products of (products of TA) Canonical file name: zGJyRYzO3n7rcGV_hH-Hmn68OPY-505 .cer serial: 505 g(AKI): DLAl5E2IJgSdp2syO9gvEeptpsI g(SKI): zGJyRYzO3n7rcGV_hH-Hmn68OPY CRLdp: rsync://repository.apnic.net/APNIC/ Cert made pvpjvwUeQix2e54X8fGbhmdYMo0/ by Cert, DLAl5E2IJgSdp2syO9gvEeptpsI/ made by TA zGJyRYzO3n7rcGV_hH-Hmn68OPY/ zGJyRYzO3n7rcGV_hH-Hmn68OPY.crl Ipv4 10.0.0.0/8 AIA: rsync://repository.apnic.net/APNIC/ pvpjvwUeQix2e54X8fGbhmdYMo0/ DLAl5E2IJgSdp2syO9gvEeptpsI SIA: rsync://repository.apnic.net/APNIC/ pvpjvwUeQix2e54X8fGbhmdYMo0/ DLAl5E2IJgSdp2syO9gvEeptpsI zGJyRYzO3n7rcGV_hH-Hmn68OPY

  7. path discovery to TA g(AKI): AAAA TA is defined: g(SKI): AAAA terminate. crldp: URI-A/AAAA.crl TA AIA: URI-A/ SIA: URI-A/ g(AKI): AAAA g(SKI): BBBB Cert, crldp: URI-A/BBBB/BBBB.crl made by TA AIA: URI-A/ SIA: URI-A/BBBB g(AKI): BBBB Cert made g(SKI): CCCC by Cert, crldp: URI-A/BBBB/CCCC/CCCC.crl made by TA AIA: URI-A/BBBB/ SIA: URI-A/BBBB/CCCC

  8. Object-Name model For a CA ● – Your parent’s SKI became your AKI. – Your SKI becomes your children’s AKI Sha1 hash over ASN.1 of public key ● – Extremely low collision risk – g(ski) or g(aki)+<serial> unique for any given CA – g(ski) alone: all re-issues with same public key hash to same location (serials not involved) ● No name change with normal certificate renewal – Public key change == complete namespace rollover (unavoidable) Represented by ‘url friendly’ modified base64 ● representation, <64 chars per cert instance

  9. Hierarchy Implications ● Inter-RIR registration/transfers explicit in repository certificate, naming model ● Clean separation of address-types in hierarchy – Experimental separated from Historical from Current RIR policy from … ● Clean model for independent sub-trees – Provide publication point in RSYNC: URL space – Irrespective of local naming policy, cert identity in repository is deterministic – No risk of collision when uploaded into global repository structure

  10. Modified-Gutmann Alg: g(ski) Use of base64 Specified in rfc4387 ● – Reduces 160-bit sha1 to 27 char Base64 encoding. ● URLs not workable in filestore contexts due to presence of ‘/’ character. ● ‘+’ character interfered with URL parsing I-D.josefsson-rfc3548bis ● – Base64 transform, ‘/’ and ‘+’ replaced by ‘-’ and ‘_’ ● No size increase, URL friendly, filestore friendly – Can be implemented as a post-process on Base64 transform, or as a native function Resulting object names are at least 26 chars long ● – Plus serial (up to 20 chars of HEX) plus syntactic sugar for filename.ext purposes) – Under 64-char limits for older FS (but clearly over 8.3) – Not ‘mandatory' to implement as dir/file store, but useful

  11. Why not certificate names? These are not identity certs ● – No applicability in browsers, webservers, email signing – Identity checks for issuance still required but now local to issuer, no global context ● Unless driven by other needs – Can use ‘shadow cert’ process to derive certificates with apparent name for business purposes Avoids any consideration of entity name collision ● – in certificate namespace, encodings, field choices – directory name model is inherently complex Survivable across future models of address transfer/trading ● “it’s the crypto, not the name which secures” ● – Proof of knowledge of private key authorizes signed outcomes, not the name on the certificate in this model

  12. Operations models ● Authenticated copy – TA must be sourced out-of-band. – Fetch repository via rsync ● Crl from CRLdp of TA ● Repository contents via AIA of TA – Top-down walk to validate all objects published at TA ● Recurse for independent SIA/CRLdp ● Local sub-repository – Requires at LEAST path back to issuing TA to perform validation

  13. Why Rsync? ● Avoid inventing new protocol ● Desireable features – Can fetch single objects, trees – Byte efficient (only differing blocks) – No fetch of unchanged objects ● Downsides – May be expensive on server – Lax formal specification

  14. What do we get? ● Deterministic, simple naming ● Objects always have a known place in hierarchy ● EE certs, CRLs, 'products' nest cleanly inside 'producer' namespace ● Clean separation of certs by delegation (right back to TA == 'root')

  15. Natural hierarchies form TA1 prod(TA1) prod(TA1) prod(TA1) p(p(TA1)) CRL p(p(TA1)) ee(p(p(TA1))) roa(a) roa(b) roa(c)

  16. ...but you inherit multiple TA ISP-A

Recommend

Two of many repository structure decisions path length placement of products and

Two of many repository structure decisions path length placement of products and

2009 Perforce User Conference Repository Structure Considerations for Performance Perforce Software Performance Lab Michael Shields, Manager Tim Brazil, Engineer Introduction Two of many repository structure decisions path length

302 views • 17 slides
Staging Package Deployment via Repository Management Chris St. Pierre Matt Hermanson

Staging Package Deployment via Repository Management Chris St. Pierre Matt Hermanson

Staging Package Deployment via Repository Management Chris St. Pierre Matt Hermanson Background (Mostly) homogeneous environment Organizational structure Bcfg2 Our Approach Control what packages are available in the repository

153 views • 12 slides
Certificate IV in Project Management Practice Day 1: Project Initiation Course structure 8-day

Certificate IV in Project Management Practice Day 1: Project Initiation Course structure 8-day

BSB41515 C ERTIFICATE IV IN P ROJECT M ANAGEMENT P RACTICE BSB41515 Certificate IV in Project Management Practice Day 1: Project Initiation Course structure 8-day program Attendance sheet Active participation Assessment portfolio Initiating

829 views • 41 slides
TERENA Certificate Service Milan Sova CESNET Agenda History TCS Structure Procedures

TERENA Certificate Service Milan Sova CESNET Agenda History TCS Structure Procedures

TERENA Certificate Service Milan Sova CESNET Agenda History TCS Structure Procedures Conclusions History pop-up free server certificates History: SCS TERENA Server Certificate Service summer 2004: first idea

176 views • 17 slides
Leaving Certificate Applied ICT Mandatory Course Structure 2 Modules to be completed No

Leaving Certificate Applied ICT Mandatory Course Structure 2 Modules to be completed No

15/05/2013 Leaving Certificate Applied ICT Mandatory Course Structure 2 Modules to be completed No task or final exam for the Introduction to ICT mandatory. 1 15/05/2013 Credit Value Each Module has a value of 2 credits 2

462 views • 16 slides
Fintech Certificate Fintech Certificate Fintech Certificate 2 Investment Case The AtonR

Fintech Certificate Fintech Certificate Fintech Certificate 2 Investment Case The AtonR

Fintech Certificate Fintech Certificate Fintech Certificate 2 Investment Case The AtonR Fintech Index is a long-only, USD-based, actively managed total return index. The pace of innovation in financial technology (Fintech) has been

616 views • 26 slides
Grid Applica+on Meta-Repository - Repository interconnec+vity

Grid Applica+on Meta-Repository - Repository interconnec+vity

Grid Applica+on Meta-Repository - Repository interconnec+vity and cross-domain applica+on usage in distributed compu+ng environments - Alexandru Tudose

389 views • 14 slides
NEO PA/VA system EN 54 -16 Certificate No. 2426-CPR-105 PA/VA System EN 54 -16 Certificate No.

NEO PA/VA system EN 54 -16 Certificate No. 2426-CPR-105 PA/VA System EN 54 -16 Certificate No.

NEO PA/VA system EN 54 -16 Certificate No. 2426-CPR-105 PA/VA System EN 54 -16 Certificate No. 2426-CPR-105 NEO is an innovative Public Address and Voice Alarm system that allows an easy audio installation with just one piece of equipment.

326 views • 7 slides
For student abcdef : the CS619 repository is: https://stsvn.cs.unh.edu/svn/cs619. abcdef

For student abcdef : the CS619 repository is: https://stsvn.cs.unh.edu/svn/cs619. abcdef

Subversion version control system enables collaborative work maintains di ff erent revisions of every file in a given repository any revision can be retrieved from the repository each revision is associated with a timestamp each revision is

254 views • 6 slides
Status of the Repository at Status of the Repository at Yucca Mountain Presented to: DOE-EM

Status of the Repository at Status of the Repository at Yucca Mountain Presented to: DOE-EM

Status of the Repository at Status of the Repository at Yucca Mountain Presented to: DOE-EM Performance Assessment Community of Practice Technical Exchange Meeting Presented by: Dr. Paul R. Dixon Nuclear Waste Program Manager Nuclear Waste

478 views • 19 slides
1 4/3/2015 AMEs In Your Area If You Decide to Renew Your Medical So Whats This Light Sport

1 4/3/2015 AMEs In Your Area If You Decide to Renew Your Medical So Whats This Light Sport

4/3/2015 New Plastic Pilot Certificate So, Where Do I Start? What we will cover today Your old paper certificate is no longer valid. What it takes to be PIC again Google Search: Replacement of Airmen Certificate What has

485 views • 35 slides
Certificate of Recognition Certificate of Recognition - Defined COR is a health and safety

Certificate of Recognition Certificate of Recognition - Defined COR is a health and safety

Certificate of Recognition Certificate of Recognition - Defined COR is a health and safety certification program National standard supported by the Canadian Federation of Construction Safety Association (CFCSA) Aimed at driving

320 views • 10 slides
Certificate of Public Advantage Presentation to the House Select Committee on the Certificate of

Certificate of Public Advantage Presentation to the House Select Committee on the Certificate of

Certificate of Public Advantage Presentation to the House Select Committee on the Certificate of Need Process and Related Hospital Issues Research Division Staff, September 14, 2011 What is a COPA? An agreement among two or more hospitals

201 views • 19 slides
Limited Use Repository Updates Citizens Coordination Council April 18, 2018 Craig Cameron U.S.

Limited Use Repository Updates Citizens Coordination Council April 18, 2018 Craig Cameron U.S.

Bunker Hill Superfund Site: Coeur dAlene Basin Repository Monitoring and Limited Use Repository Updates Citizens Coordination Council April 18, 2018 Craig Cameron U.S. Environmental Protection Agency East Mission Flats Repository Monitoring

146 views • 14 slides
Certificate of Recognition Update February 19, 2016 1 Certificate of Recognition- Defined

Certificate of Recognition Update February 19, 2016 1 Certificate of Recognition- Defined

Certificate of Recognition Update February 19, 2016 1 Certificate of Recognition- Defined COR is a workplace health and safety certification program All Legislative elements require 100% achievement National standard supported by

374 views • 9 slides
Certificate o Certi icate of Presentation Presentation This certificate is issued to Hong Guo,

Certificate o Certi icate of Presentation Presentation This certificate is issued to Hong Guo,

The 18 th International Conference on Electronic Business December 2-6, 2018, Guilin, China CERTIFICATE Certificate o Certi icate of Presentation Presentation This certificate is issued to Hong Guo, Anhui University, China Hong Guo, Anhui

1.04k views • 102 slides
A Distributed A Distributed Online Certificate Status Protocol Online Certificate Status

A Distributed A Distributed Online Certificate Status Protocol Online Certificate Status

A Distributed A Distributed Online Certificate Status Protocol Online Certificate Status Protocol Satoshi Koga, Kouichi Sakurai Satoshi Koga Kyushu University, Japan Background Background Certificate Revocation Problem Certificate

349 views • 10 slides
Targeting a statically compiled program repository with LLVM Russell Gallop April 2019 Program

Targeting a statically compiled program repository with LLVM Russell Gallop April 2019 Program

Targeting a statically compiled program repository with LLVM Russell Gallop April 2019 Program Repository The Program Repository (or Repo) is a research project at SN Systems CC CC LD It aims to dramatically improve build times for

350 views • 11 slides
Repository (IDR) Dr. Chris Harle Becky Liao Integrated Data Repository (IDR) Mar. 3, 2020

Repository (IDR) Dr. Chris Harle Becky Liao Integrated Data Repository (IDR) Mar. 3, 2020

Intro to the Integrated Data Repository (IDR) Dr. Chris Harle Becky Liao Integrated Data Repository (IDR) Mar. 3, 2020 Chris Harle Professor, Health Outcomes and Biomedical Informatics Chief Research Information Officer, UF Health

615 views • 36 slides
Certificate Transparency with Privacy Saba Eskandarian, Eran Messeri, Joe Bonneau, Dan Boneh

Certificate Transparency with Privacy Saba Eskandarian, Eran Messeri, Joe Bonneau, Dan Boneh

Certificate Transparency with Privacy Saba Eskandarian, Eran Messeri, Joe Bonneau, Dan Boneh Stanford Google NYU Stanford Certificate Authorities Public Key Certificate CA Certificate apo-CA-lypse apo-CA-lypse Certificate Transparency

722 views • 30 slides
Student Repository Mining with Marmoset Jaime Spacco Jaymie Strecker David Hovemeyer Bill Pugh

Student Repository Mining with Marmoset Jaime Spacco Jaymie Strecker David Hovemeyer Bill Pugh

Student Repository Mining with Marmoset Jaime Spacco Jaymie Strecker David Hovemeyer Bill Pugh Overview Student project repository granularity of each save full set of unit tests Use repository to validate and tune static

772 views • 34 slides
Mobile Payments Certificate 2 Mobile Payments Certificate Investment Case While the mobile

Mobile Payments Certificate 2 Mobile Payments Certificate Investment Case While the mobile

Mobile Payments Certificate 2 Mobile Payments Certificate Investment Case While the mobile payment infrastructure is now in place (NFC-enabled phones and POS terminals, various platforms such as Apple Pay), we are about to enter the second

467 views • 20 slides
Certificate Transparency with Privacy Saba Eskandarian, Eran Messeri, Joe Bonneau, Dan Boneh

Certificate Transparency with Privacy Saba Eskandarian, Eran Messeri, Joe Bonneau, Dan Boneh

Certificate Transparency with Privacy Saba Eskandarian, Eran Messeri, Joe Bonneau, Dan Boneh Stanford Google NYU Stanford Certificate Authorities Public Key Certificate Authorities Public Key Certificate CA Certificate apo-CA-lypse

1.17k views • 63 slides
One Statement Certificate Policies Milan Sova The problem Was this certificate issued to

One Statement Certificate Policies Milan Sova The problem Was this certificate issued to

One Statement Certificate Policies Milan Sova The problem Was this certificate issued to a host or to a person? Is the private key stored on a hardware token or in a software? Is the private key encrypted?

368 views • 7 slides

More recommend