* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Computer and Network Security Group
Survey
Document related concepts
Transcript
EuroPKI Antonio Lioy < lioy @ polito.it > Politecnico di Torino Dip. Automatica e Informatica The Copernican revolution secure Web secure e-mail secure remote access secure VPN secure boot X.509 certificate secure DNS Win2000 security no viruses & Trojan horses secure routing IP security Background ICE-TEL project (1997-1998) ICE-CAR project (1999-2000) various national projects (1996-2000) since January 1, 2000: EuroPKI EuroPKI EuroPKI Norway EuroPKI Slovenia EuroPKI TLCA EuroPKI Italy people servers Politecnico di Torino CA EETIC CA City of Rome CA Current status root + AT (IAIK) IE (TCD) IT (POLITO) NO will retire on Dec 31, 2000 SI (IJS) Italian tree, with 4 City Halls integration with the Italian identity chip-card Slovenian tree UK (UCL) EuroPKI services certification revocation publication data validation competence centre Certification X.509v3 certificates global CP (Certification Policy) local CPS (Certification Practice Statement) Certification policy current draft: 28 pages based on RFC-2527 (with extensions) basic idea: be as little restrictive as possible to allow anybody to join ... ... while retaining a level of security useful for practical applications CP requirements personal identification of the subject secure management of the CA periodic publication of CRL Applications supported Web: SSL/TLS signed applets SSL-based applications: telnet, FTP, SMTP, POP, IMAP, ... e-mail: S/MIME IPsec (via SCEP) DNS (?) Publication certificates and CRLs Web servers: for humans directory server: for applications LDAP (local) directories X.500 (global) directory X.521 schema Revocation CRL (Certificate Revocation List) cumulative list of revoked certificates issued periodically updated as needed OCSP (On-Line Certificate Status Protocol): “is this cert valid now?” unknown, valid, invalid Time-stamping proof of data existence at a given date IETF-PKIX-TSP-draft-12 TSP server (Win32, Unix) TSP client (GUI for Win32, shell for Unix) TSP server Attribute certificate where should I put additional infos related to a certificate? inside the certificate, in order to keep all data together in a directory, or in an attribute certificate (draft-ietf-pkix-ac509prof) Next steps GARR PKI European digital signature law CDSA automatic policy negotiation Future I have a dream ... ... a pan-european open and public PKI to enable network security EuroPKI?