overcoming the pki hierarchy problem pmas and tacar
play

Overcoming the PKI hierarchy problem. PMAs and TACAR Diego R. Lopez - PowerPoint PPT Presentation

Dec 22, 2023 •104 likes •271 views

Overcoming the PKI hierarchy problem. PMAs and TACAR Diego R. Lopez RedIRIS PKIs and their growth problems The original X509 concept implicitly asumed a common global root for certificates At least, so it was perceived in many cases

  1. Overcoming the PKI hierarchy problem. PMAs and TACAR Diego R. Lopez RedIRIS

  2. PKIs and their growth problems  The original X509 concept implicitly asumed a common global root for certificates  At least, so it was perceived in many cases  Similar to the old X500 idea of a single global root for The Directory  This (as with the case of LDAP) has proven unfeasible  This implies the need of concialiating several roots of trust  Traditional solutions to this problem  Building a mesh of cross-certificates  Extending hierarchies to a common (agreed) root  The first one does not scale  The second imply policy problems  New solutions applied/explored in the academic arena  PMAs and trust repositories  Bridges PMAs and TACAR

  3. Hierarchy problems  A common root is not feasible even in the "simpler" academic world  Policies have incompatible purposes and even basic principles  Not even mentioning national regulations  Several applications impose limitations in the certificate verification procedues  Most notably, currently used Grid software  Extending the infrastructures usually means cumbersome resigning processes  Scaling problems become even worse than in the mesh case PMAs and TACAR

  4. PMAs and TACAR The simpler, the better  Keep the solution as simple as possible  Take advantage of the already existing trust links in the community  Explore and extend the technologies  Seek for support in the EU and beyond  Endorsment of the EUGridPMA and TACAR by the eIRG as a "first step towards common EU policies for authentication for resource access and sharing for e-science"  International Grid Trust Federation  The Cotswolds Group PMAs and TACAR

  5. PMAs  Policy Management Authority  Defines a set of minimal requirements and good practices  It accredits PKIs  Authentication and key management procedures  Signing policies  By means of a peer review process  Several active PMAs  Basically related to Grid infrastructures  Europe, America, Asia-Pacific http://www.eugridpma.org/  A federation of these PMAs has been established  The International Grid Trust Federation http://www.gridpma.org/ PMAs and TACAR

  6. More on PMAs  Participants  Accredited PKIs  User infrastructures where the accreditation is accepted  Trust repositories  The PMA does not provide identity assertions  But guarantees that certificates comply to the minimal requirements  Verifiable through the trust repositories  Accoding to the limits established by its policy  All accredited PKIs are to be considered equivalent  As authentication providers  Authorization is performed by the relaying party PMAs and TACAR

  7. A case study: The EUGridPMA  Formally established in April 2004  http://www.eugridpma.org/  Participants from Europe and beyond  A single PKI per country (whenever possible)  Relaying parties are national and trans-national Grids  EGEE, DEISA, LCG, SEE-GRID,...  Identity is only applicable to e-science environments  Encryption and digital signature are not supported  The participants are not to be considered digital signature agencies according to the EU directives  Financial transactions are not supported  It is required to comply to GSI technical requirements  TACAR is used as trust repository PMAs and TACAR

  8. The EUGridPMA coverage  Other participant PKIs: CERN Catch-all for EGEE, LCG, SEE-GRID Russia (LCG) Israel Armenia DoEGrids (USA) FNAL Service CA (USA) Canada Japan Taiwan Pakistan PMAs and TACAR

  9. TACAR. The goals  Provide a means for building a PKI-based web of trust  Among the European academic community (and beyond!)  Without the technical and administrative overhead of a root or bridge CA  Based on two basic principles  Keep it simple  Let it happen  Initially conceived as a collection of certificates  More formalization was rapidly requested and incorporated PMAs and TACAR

  10. TACAR. The two basic principles  Keep it simple  Do not require extra developments  Make the whole system sustainable  Let it happen  Follow a very pragmatic approach  Gain critical mass  Act according to user organization demands  The better illustration is the original evolution  TACAR was conceived as a simple PKCS#7 distributed via TLS  Policy issues came into play and the TACAR policy was created PMAs and TACAR

  11. The TACAR Policy – I  Which PKIs can be included  Directly managed by TERENA members: NRENs  (Inter)national academic infrastructures: EUNIS, Educause, Internet2,...  Non-for-profit research projects directly involving the academic community: Grids  Including a PKI  Self-signed certificate(s)  Policy documents (CP/CPS) and fingerprints  Face-to-face meeting to build the initial trust links  The policy document includes sample letters for  Registration  Collected by the TERENA officers when incorporating a new CA  Accreditation (optional)  Aimed to simplify interactions (electronic updates) PMAs and TACAR

  12. The TACAR Policy – II  Updating the information pertaining a PKI  Mandatory in case of any change  Certificates or policies  Only allowed for accredited people  Face-to-face  By e-mail, using PGP  Measures for repository maintenance  Available through a secured web page  Periodic checking of data accuracy  Procedures for changing the policy itself  Agreement among the participating organizations PMAs and TACAR

  13. Current status  An updated policy  Some clarifications requested by new members  Explicit mention to the site certificate and its diffusion  Explicit mention to the site security measures  Has exercised the policy update procedures  Twenty certificates currently available  Everything at http://www.tacar.org/  SSL access through a self-signed certificate  https://www.tacar.org/  DN: dc=org, dc=tacar, cn=www.tacar.org  Fingerprint: 10:AE:CE:44:A2:CC:15:C7:1D:71:61:6B:B5:70:AD:5C PMAs and TACAR

  14. What is TACAR providing  A trusted source for  Root certificates  Policies  The repository is built and updated by means of out-of-band methods  Face-to-face meetings  Required for the initial incorporation  PGP-enabled mail  (Optional) bundles of available certificates  A platform to experiment with  Lighter than a common root, simpler than a bridge PMAs and TACAR

  15. New proposals around TACAR  A mechanism for extending trust links  By means of semi-cross certificates  Included by each participating PKI as another certificate in its hierarchy  TACAR as the root verification point for issuing and renewing the semi-cross certificates  A certificate verification service  Based on OCSP  TACAR as trusted source for certificates and CRLs,simplifying maintenance procedures  A certificate diffusion system  Derived from e-mail addresses and DNS, mostly oriented to encryption and digital signatures  TACAR as the common trust root PMAs and TACAR

Recommend

New Solutions to the Hierarchy Problem What to Expect at the TeV Scale Gustavo Burdman Instituto

New Solutions to the Hierarchy Problem What to Expect at the TeV Scale Gustavo Burdman Instituto

New Solutions to the Hierarchy Problem What to Expect at the TeV Scale Gustavo Burdman Instituto de F sica - USP Lishep 2006, Rio de Janeiro, March 27-30 2006 New Solutions to the Hierarchy Problem p.1/39 Outline The Hierarchy

678 views • 39 slides
Gravitino Problem Introduction Supersymmetry (SUSY) Fermion Boson Hierarchy Problem Keep

Gravitino Problem Introduction Supersymmetry (SUSY) Fermion Boson Hierarchy Problem Keep

Gravitino Problem Introduction Supersymmetry (SUSY) Fermion Boson Hierarchy Problem Keep electroweak scale against radiative correction Coupling Constant Unification in GUT quark squarks lepton slepton photon

736 views • 45 slides
Memory Hierarchy Introduction Problem: Suppose your processor wishes to issue 4 instructions

Memory Hierarchy Introduction Problem: Suppose your processor wishes to issue 4 instructions

Memory Hierarchy Introduction Problem: Suppose your processor wishes to issue 4 instructions per cycle. How much memory bandwidth will you require? Solution: build a memory hierarchy. Keep data youre likely to need close at hand.

110 views • 8 slides
The supersymmetric little hierarchy problem and possible solutions Stephen P . Martin Northern

The supersymmetric little hierarchy problem and possible solutions Stephen P . Martin Northern

The supersymmetric little hierarchy problem and possible solutions Stephen P . Martin Northern Illinois University PHENO 2010 May 11, 2010 Based in part on 0910.2732 , and work to appear with James Younkin. Supersymmetry is Too Big To Fail:

419 views • 39 slides
1 Basic use of caches Levels in the memory hierarchy When fetching an instruction, first

1 Basic use of caches Levels in the memory hierarchy When fetching an instruction, first

Memory Hierarchy Goal of a memory hierarchy Memory: hierarchy of components of various speeds and Keep close to the ALU the information that will be needed capacities now and in the near future Memory closest to ALU is fastest but

56 views • 5 slides
Memory Hierarchy Design Memory Hierarchy Design Chapter 5 and Appendix C 1 Overview

Memory Hierarchy Design Memory Hierarchy Design Chapter 5 and Appendix C 1 Overview

Memory Hierarchy Design Memory Hierarchy Design Chapter 5 and Appendix C 1 Overview Problem CPU vs Memory performance imbalance Solution Driven by temporal and spatial locality Memory hierarchies Memory hierarchies

733 views • 55 slides
Memory Hierarchy Design Chapter 5 and Appendix C 1 Overview Problem CPU vs Memory

Memory Hierarchy Design Chapter 5 and Appendix C 1 Overview Problem CPU vs Memory

Memory Hierarchy Design Chapter 5 and Appendix C 1 Overview Problem CPU vs Memory performance imbalance Solution Driven by temporal and spatial locality Memory hierarchies Fast L1, L2, L3 caches Larger but

762 views • 28 slides
Polynomial Hierarchy A polynomial-bounded version of Kleenes Arithmetic Hierarchy becomes

Polynomial Hierarchy A polynomial-bounded version of Kleenes Arithmetic Hierarchy becomes

Polynomial Hierarchy A polynomial-bounded version of Kleenes Arithmetic Hierarchy becomes trivial if P = NP . Karp, 1972 Computational Complexity, by Fu Yuxi Polynomial Hierarchy 1 / 44 Larry Stockmeyer and Albert Meyer introduced

584 views • 45 slides
Emotion-Based Recommender System for Overcoming the Problem of Information Overload Hernani

Emotion-Based Recommender System for Overcoming the Problem of Information Overload Hernani

Emotion-Based Recommender System for Overcoming the Problem of Information Overload Hernani Costa and Luis Macedo { hpcosta,macedo } @dei.uc.pt CISUC, University of Coimbra Coimbra, Portugal Salamanca, May, 2013 Costa et al. (CISUC)

785 views • 49 slides
Searches for new vacua II: A new Higgstory at the cosmological collider Junwu Huang Perimeter

Searches for new vacua II: A new Higgstory at the cosmological collider Junwu Huang Perimeter

Searches for new vacua II: A new Higgstory at the cosmological collider Junwu Huang Perimeter Institute Oct, 2019 @ GGI 1904.00020 , 1907.10624 , 1908.00019 Anson Hook, Junwu Huang, Davide Racco Hierarchy problem EW hierarchy problem &

636 views • 36 slides
Exploiting the Temporal Logic Hierarchy and the Non-Confluence Property for Efficient LTL

Exploiting the Temporal Logic Hierarchy and the Non-Confluence Property for Efficient LTL

Problem Det. via Automata Hierarchy Det. Non-Confluent Automata Conclusion Exploiting the Temporal Logic Hierarchy and the Non-Confluence Property for Efficient LTL Synthesis Andreas Morgenstern GandALF 2010 Andreas Morgenstern Symbolic

838 views • 47 slides
XIV. Arithmetic Hierarchy Yuxi Fu BASICS, Shanghai Jiao Tong University We introduce a hierarchy

XIV. Arithmetic Hierarchy Yuxi Fu BASICS, Shanghai Jiao Tong University We introduce a hierarchy

XIV. Arithmetic Hierarchy Yuxi Fu BASICS, Shanghai Jiao Tong University We introduce a hierarchy of sets in terms of logical formula and prove its relationship to the hierarchy 0 , 0 , 0 , . . . of Turing degree. Computability Theory,

732 views • 33 slides
Towards solving hierarchy problem with asymptotically safe gravity Masatoshi Yamada (Kanazawa

Towards solving hierarchy problem with asymptotically safe gravity Masatoshi Yamada (Kanazawa

Towards solving hierarchy problem with asymptotically safe gravity Masatoshi Yamada (Kanazawa Univ. Kyoto Univ. Heidelberg Univ.) with Kin-ya Oda (Osaka Univ.) and Yuta Hamada (KEK & Wisconsin Univ.) ERG2016@Trieste LHC The

668 views • 44 slides
Memory Hierarchy Motivation, Definitions, Four Questions about Memory Hierarchy Soner Onder

Memory Hierarchy Motivation, Definitions, Four Questions about Memory Hierarchy Soner Onder

Memory Hierarchy Motivation, Definitions, Four Questions about Memory Hierarchy Soner Onder Michigan Technological University Randy Katz & David A. Patterson University of California, Berkeley Levels in a memory hierarchy 2 Basic

524 views • 21 slides
Overcoming barriers to energy efficiency in cooking A Swiss survey among key players in politics,

Overcoming barriers to energy efficiency in cooking A Swiss survey among key players in politics,

Overcoming barriers to energy efficiency in cooking A Swiss survey among key players in politics, business, and NGOs Sonja Lthi, Eivind Sto Content 1. The BARENERGY Project 2. Problem Statement 3. Research Questions 4. Methodology 5.

325 views • 21 slides
Hierarchy Builder C.Cohen, K.Sakaguchi and E.Tassi Disclaimer: this talk is an advertisement

Hierarchy Builder C.Cohen, K.Sakaguchi and E.Tassi Disclaimer: this talk is an advertisement

Hierarchy Builder C.Cohen, K.Sakaguchi and E.Tassi Disclaimer: this talk is an advertisement What we sell today: Hierarchy Builder ( HB ) is a tool to organize libraries around a hierarchy of interfaces opam install coq-hierarchy-builder

361 views • 5 slides
MEGA: Overcoming Traditional Problems with OS Huge Page Management Theodore Michailidis , Alex

MEGA: Overcoming Traditional Problems with OS Huge Page Management Theodore Michailidis , Alex

MEGA: Overcoming Traditional Problems with OS Huge Page Management Theodore Michailidis , Alex Delis, Mema Roussopoulos University of Athens Motivation Capacity of memory is ever growing, TLBs do not scale. Problem: Increased TLB misses,

563 views • 43 slides
CS 557 Landmark Routing The Landmark Hierarchy: A New Hierarchy For Routing in Very Large

CS 557 Landmark Routing The Landmark Hierarchy: A New Hierarchy For Routing in Very Large

CS 557 Landmark Routing The Landmark Hierarchy: A New Hierarchy For Routing in Very Large Networks Paul Tsuchiya, 1988 Spring 2013 Landmark Routing Objective: Reduce the routing table size without increasing path length by a large

459 views • 15 slides
What Is Memory Hierarchy A typical memory hierarchy today: Lecture 13: Cache Basics and Cache

What Is Memory Hierarchy A typical memory hierarchy today: Lecture 13: Cache Basics and Cache

What Is Memory Hierarchy A typical memory hierarchy today: Lecture 13: Cache Basics and Cache Performance Proc/Regs L1-Cache Bigger Faster L2-Cache Memory hierarchy concept, cache L3-Cache (optional) design fundamentals, set-associative

303 views • 4 slides
Extensions of the Caucal Hierarchy? Pawe Parys University of Warsaw LATA 2019 Caucal

Extensions of the Caucal Hierarchy? Pawe Parys University of Warsaw LATA 2019 Caucal

Extensions of the Caucal Hierarchy? Pawe Parys University of Warsaw LATA 2019 Caucal hierarchy a hierarchy of graphs We consider directed, edge-labeled graphs without isolated vertices Caucal hierarchy a hierarchy of graphs We

527 views • 35 slides
Overcoming non Distributivity A Case Study through Functional Programming Juan C Saenz-Carrasco

Overcoming non Distributivity A Case Study through Functional Programming Juan C Saenz-Carrasco

Overcoming non Distributivity A Case Study through Functional Programming Juan C Saenz-Carrasco and Mike Stannett Agenda Introduction Definitions The Problem A Functional Approach Applications Conclusion Introduction In order to solve

962 views • 42 slides
CLINICAL PRACTICE OT PROCEDURES ESCAPE/AVOIDANCE HIERARCHY SELF CONTROL Eb Blakely, Ph.D.,

CLINICAL PRACTICE OT PROCEDURES ESCAPE/AVOIDANCE HIERARCHY SELF CONTROL Eb Blakely, Ph.D.,

7/25/2017 CLINICAL PRACTICE OT PROCEDURES ESCAPE/AVOIDANCE HIERARCHY SELF CONTROL Eb Blakely, Ph.D., BCBA-D Quest, Inc. Florida Institute of Technology OCCUPATIONAL THERAPY: SENSORY INTEGRATION Assumption: Unusual /problem behavior is a

386 views • 36 slides
Hierarchy of Provider Edge Devices in Hierarchy of Provider Edge Devices in BGP/MPLS VPN

Hierarchy of Provider Edge Devices in Hierarchy of Provider Edge Devices in BGP/MPLS VPN

Hierarchy of Provider Edge Devices in Hierarchy of Provider Edge Devices in BGP/MPLS VPN BGP/MPLS VPN <draft-libin-hierarchy-pe-bgp-mpls-vpn-00.txt> Huawei Technologies IETF 56, San Francisco, March 16-21, 2003 Agenda Agenda

475 views • 8 slides
1 5.1 Introduction A Typical Memory Hierarchy A Typical Memory Hierarchy Memory Technology

1 5.1 Introduction A Typical Memory Hierarchy A Typical Memory Hierarchy Memory Technology

Review: Major Components of a Computer Review: Major Components of a Computer Processor Devices Memory Memory Control Hierarchy Hierarchy Input Memory Datapath Output Original slides from: Computer Architecture A Quantitative

447 views • 10 slides

More recommend