1 / 11

FAP Certificate profile (Revised)

S40-20090330-006 X50-20090330-0xx. 3GPP2 TSG-S WG4 / TSG-X WG5 (PDS). FAP Certificate profile (Revised). Source: QUALCOMM Incorporated Contact(s): Anand Palanigounder ( apg@qualcomm.com ) Jun Wang ( jwang@qualcomm.com ) Recommendation: Discuss and adopt. Background.

sevita
Télécharger la présentation

FAP Certificate profile (Revised)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. S40-20090330-006 X50-20090330-0xx 3GPP2 TSG-S WG4 / TSG-X WG5 (PDS) FAP Certificate profile (Revised) Source: QUALCOMM IncorporatedContact(s): Anand Palanigounder (apg@qualcomm.com) Jun Wang (jwang@qualcomm.com) Recommendation: Discuss and adopt

  2. Background • At the last TSG-S WG4 meeting, we proposed FAP certificate profile in S40-20090216-007 • In this contribution, we revise the Femto AP (FAP) certificate profile • to align it with TS 33.210 (as this is used by 3GPP for H(e)NBs) rather than with TS 33.234 • update terminology • removed redundant requirements on the profile • We also propose an assumption that the FAP certificates is issued by the FAP vendor

  3. Root CA (e.g., Femto Manufacturer CA) FAP Certificate FAP Certificate issued using one level CA chain 1 Level CA Tree –Root CA issues device certificate for FAP signed using Root CA certificate. The Root CA certificate must be stored at the SeGW and is used to authenticate the FAP using it’s device certificate

  4. Root CA (e.g., trusted 3rd party CA or Operator CA) Sub-CA1 (e.g., Femto Manufacturer CA) FAP Certificate FAP certificate issued using two level CA chain 2 Level CA Tree –Root CA issues Sub-CA certificates signed using Root CA certificate. Sub-CA1 in turn issues FAP certificates signed using Sub-CA1 certificate SeGW must (at least) have either Sub-CA1 cert or the Root CA cert stored at the SeGW. This stored CA cert is used to authenticate the FAP using the FAP cert

  5. Profile for FAP certificate (1/3) • X.509 Certificates used for authentication of the FAP by SeGW shall be compliant to RFC 5280, RFC 4945 and meet the profile as defined below • The signature algorithm shall be "sha256WithRSAEncryption”, and the RSA public key used for signing shall be at least 2048 bits.

  6. Profile for FAP certificate (2/3) • The issuer name shall not be empty and shall identify the name of the issuer (as defined in RFC 5280 section 4.1.2.4) • The subject public key shall use algorithm "rsaEncryption" [RFC 4055], and the RSA public key value shall be at least 2048 bit RSA public key

  7. Profile for FAP certificate (3/3) • The subjectAltName extension shall be present for FAP certificate and shall contain FEID conforming to IEEE EUI-64 format identifying the IEEE Hardware address of the FAP as the first field in the FQDN format • E.g., FEID.vendor.com or FEID.femto; • NOTE: FEID only needs to be encoded in FQDN format and does not have to map to any real IP address

  8. SeGW processing requirements for FAP certificates (1/2) • FAP IKEv2 certificate handling shall be compliant to RFC 4945 • FAP shall not send certificate paths containing more than four certificates • SeGW shall be able to support FAP certificate paths containing up to four certificates

  9. SeGW processing requirements for FAP certificates (2/2) • SeGW shall only support GeneralizedTime encoding for validity time • SeGW shall check the validity time, and reject certificates that are either not yet valid or are expired

  10. Proposal • Adopt the FAP certificate profile requirements into S.P0132-0

  11. References • RFC 5280; Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile ; obsoletes 3280 • RFC 4043, Internet X.509 Public Key Infrastructure, Permanent Identifier • RFC 4045, Additional RSA Algorithms and Identifiers • RFC 4945, The Internet IP Security PKI Profile of IKEv1/ISAKMP, IKEv2, and PKIX, August 2007

More Related