1 / 16

EuroPKI

EuroPKI. Antonio Lioy < lioy @ polito.it > Politecnico di Torino Dip. Automatica e Informatica. The Copernican revolution. secure e-mail. secure remote access. secure Web. secure VPN. secure boot. X.509 certificate. secure DNS. Win2000 security. secure routing.

chaman
Télécharger la présentation

EuroPKI

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. EuroPKI • Antonio Lioy • < lioy @ polito.it > • Politecnico di Torino • Dip. Automatica e Informatica

  2. The Copernican revolution securee-mail secureremoteaccess secureWeb secureVPN secureboot X.509certificate secureDNS Win2000security securerouting no viruses& Trojan horses IPsecurity

  3. Background • ICE-TEL project (1997-1998) • ICE-CAR project (1999-2000) • various national projects (1996-2000) • since January 1, 2000: EuroPKI

  4. EuroPKINorway EuroPKISlovenia EuroPKI TLCA City ofRome CA Politecnico diTorino CA EETIC CA people servers EuroPKI EuroPKIItaly

  5. Current status • root + • AT (IAIK) • IE (TCD) • IT (POLITO) • Italian tree, with 4 City Halls • integration with the Italian identity chip-card • NO will retire on Dec 31, 2000 • SI (IJS) • Slovenian tree • UK (UCL)

  6. EuroPKI services • certification • revocation • publication • data validation • competence centre

  7. Certification • X.509v3 certificates • global CP (Certification Policy) • local CPS (Certification Practice Statement)

  8. Certification policy • current draft: • 28 pages • based on RFC-2527 (with extensions) • basic idea: • be as little restrictive as possible to allow anybody to join ... • ... while retaining a level of security useful for practical applications

  9. CP requirements • personal identification of the subject • secure management of the CA • periodic publication of CRL

  10. Applications supported • Web: • SSL/TLS • signed applets • SSL-based applications: • telnet, FTP, SMTP, POP, IMAP, ... • e-mail: • S/MIME • IPsec (via SCEP) • DNS (?)

  11. Publication • certificates and CRLs • Web servers: • for humans • directory server: • for applications • LDAP (local) directories • X.500 (global) directory • X.521 schema

  12. Revocation • CRL (Certificate Revocation List) • cumulative list of revoked certificates • issued periodically • updated as needed • OCSP (On-Line Certificate Status Protocol): • “is this cert valid now?” • unknown, valid, invalid

  13. Time-stamping • proof of data existence at a given date • IETF-PKIX-TSP-draft-12 • TSP server (Win32, Unix) • TSP client (GUI for Win32, shell for Unix) TSP server

  14. where shouldI put additionalinfos relatedto a certificate? Attribute certificate inside the certificate, in orderto keep all data together in a directory, or in an attribute certificate (draft-ietf-pkix-ac509prof)

  15. Next steps • GARR PKI • European digital signature law • CDSA • automatic policy negotiation

  16. EuroPKI? Future • I have a dream ... • ... a pan-europeanopen and public PKIto enable network security

More Related