50 likes | 158 Vues
Proxy Certificate Profile. draft-ietf-pkix-proxy-04 Motivation: Grid Computing – users dynamically creating entities (e.g. computational jobs) Need to name created entities Need to grant rights to created entities Dynamic nature of creation makes tradition CA process too heavy weight.
E N D
Proxy Certificate Profile • draft-ietf-pkix-proxy-04 • Motivation: • Grid Computing – users dynamically creating entities (e.g. computational jobs) • Need to name created entities • Need to grant rights to created entities • Dynamic nature of creation makes tradition CA process too heavy weight Von Welch (welch@mcs.anl.gov)
Summary of Approach • End entity creates Proxy Cert (PC) for created entity • Looks like X509 identity cert • Has critical extension identifying it as a PC • Has identity based off/scoped by EEC identity • But distinct and unique Von Welch (welch@mcs.anl.gov)
Summary (cont) • Can contain intention of EE to delegate all/none/some of it’s rights to PC holder • Arbitrary policy for delegate • Define oid and policy blob • Policy defined for All (allows for “impersonation” in terms of authorization) • Policy defined for No rights delegated (allows for an “independent” proxy) • With PV changes, a PC chain works in place of standard EEC chain in TLS, SSL, etc. Von Welch (welch@mcs.anl.gov)
Changes since Atlanta (draft-03) • Path validation now specified as additions to RFC 3280 • Based on feedback from PKIX • As opposed to modifications to 3280 • Describes steps for validating PC part of cert chain • Take outputs from 3280 PV and use to do PV on PC part of cert chain Von Welch (welch@mcs.anl.gov)
Changes (cont) • ASN.1 module added • IETF/PKIX issued oids for defined policies • Correction of criticality keyUsage extension in Proxy Certificates • Must be critical only if EEC’s is critical Von Welch (welch@mcs.anl.gov)