1 / 8

Reliable Origin Authorization with End Entity Certificates

Learn about Resource Certificates and how End Entity Certificates can be used as one-off ROA signing tools. Discover the required information for authenticating ROAs, such as Originating AS and IP Address Set.

jillian-bernard
Télécharger la présentation

Reliable Origin Authorization with End Entity Certificates

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ROA Content Proposal November 2006 Geoff Huston

  2. EE Resource Certificates • End Entity (no-CA) Certificates used as one-off ROA signing certificates • EE cert can be used for a single-use ROA signing • Private key is destroyed after a single use • EE Cert SIA is a pointer to the object that has been signed with the corresponding private key • ROA validity and resource attributes are controlled by the associated EE certificate(s)

  3. What Information is required for a ROA? • Originating AS • IP Address Set • Period of the Authority (Start & End Times) • Information to allow a relying party to validate that: • The address set is valid • The ROA was generated by the address holder • The ROA has not been altered • The ROA is valid

  4. What Information is required for a ROA? • Originating AS In the ROA • IP Address Set In the EE Cert (or in the ROA?) • Period of the Authority (Start & End Times) In the EE Cert • Information to allow a relying party to validate that: • The address set is valid • The ROA was generated by the address holder • The ROA has not been altered • The ROA is valid In the EE Cert, plus a Trust Anchor set

  5. ROA Template (1) ROA Contents: • AS Number • Address Resource Set • Signature(s) across the join of items 1 + 2 • Pointers to EE Cert(s)

  6. Alternate ROA Template (2) ROA Contents: • AS Number • Pointers (URLs) of EE Cert(s) • Signature(s) across the join of items 1 + 2

  7. Alternate ROA Template (3) ROA Contents: • AS Number • EE Cert(s) • Signature(s) across the join of items 1 + 2

  8. Alternate ROA Template (4) ROA Contents: • AS Number • Hash(es) of EE Cert(s) • Signature(s) across the join of items 1 + 2

More Related