Download
scvp 16 n.
Skip this Video
Loading SlideShow in 5 Seconds..
SCVP 16 PowerPoint Presentation

SCVP 16

188 Vues Download Presentation
Télécharger la présentation

SCVP 16

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. SCVP 16 Trevor Freeman Russ Housley Ambarish Malpani

  2. What's Different From 15 • 7 areas changed • 5 new features • Numerous editorial changes

  3. Changes • Validation policy ref & validation alg clarifications • Single policy per request clean up • userPolicySet • keyUsage & keyUsages • ResponseFlags • Request-response version clarifications • Signed & unsigned errors • Validation Policy ByRef clean-up

  4. Changes • Validation policy vs. Validation alg • Policy defines parameters, algorithm defines how parameters compared • New algorithms can extend set of parameters • Policy can define full or partial set of parameters • Client can specify value if absent from policy • If absent from policy and request, server uses published default value

  5. Changes • Single policy per request, multiple certificates per request • Correctly position errors • userPolicySet moved to validation policy • keyUsages is now set of keyUsage to allow definition multiple possible masks • ResponseFlags is collection of flags which control the server response options

  6. Changes • Request-response clarifications for forward compatibility • Server responds with same version of SCVP as request or an error • Signed & unsigned errors • Server returns signed weeres in many cases to mitigate attacks

  7. Changes • Validation policy ByRef clean up • Clean up of validation policy definition for use when client requests validation policy ByRef

  8. New • Integrity for anonymous requests • Granular validations errors in response • Basic validation alg errors • Full support for CA cert validation • DN option for name validation alg • Name validation support mandatory on server • SCVP validation policy nonce • Validation policy supports max supported version number

  9. New • Integrity for anonymous request-response pair for use without TLS • Server publishes DH public keys in validation policy • Client generates DH key with same parameters & • Client sends authenticatedData using DH shared secret for HMAC with client public value in request • Server uses client DH public for authenticatedData response

  10. New • Granular validation errors in response • Error response returns set of validation error OIDs • Basic validation algorithm now has errors defined as OIDs • Can return basic validation errors as well as validation alg specific errors

  11. New • Full support for CA cert validation • Returns policy set, included & excluded name sets • Enables hybrid DPD, DPV client with simplified validation for EE certificates only • DN name matching option for Name Validation Algorithm

  12. New • Validation Policy request support optional nonce • Server returns either cached response without nonce or non-cached response with nonce • Validation Policy publishes max supported SCVP request version number.

  13. SCVP 17 • Editorial clarification and corrections only • Please submit all comments to me or to list by end of November • No outstanding issues • No new features planed • Please wait for SCVP v2 if you want more