Issuing delegate certs to Customer AF using Cross-Certification

Issuing delegate certs to Customer AF using Cross-Certification

Issuing delegate certs to Customer AF using Cross-Certification Feb 19, 2019 David Hancock, Chris Wendt (Comcast) 1 Current "proxy" model for issuing TN-PoP Certs to Customer AF STI-CA Procedures 1 2 3 and 4 performed each time a new TN-PoP cert issued CA root certificate Customer AF orders TN-level cert from ACME-Proxy (ACME account pre-authorized with external account binding) 1 TN-PoP certificate Customer AF

STI-CA issues TN-level endentity cert to ACME Proxy Certificate path 3 ACME Proxy ACME 2 TN Provider Acting as interworking function and firewall, ACME Proxy relays cert order to STI-CA. ACME CA intermediate certificate 4 Customer AF downloads cert

(or cert URL) from ACME Proxy End-entity cert chains directly to STI-CA intermediate cert 2 New TN-POP SHAKEN 2.0 Solution Use Cross-Certification to delegate STI-CA authority, as specified in RFC 5280 Goal: Standard X.509 with backward compatibility for signature validation on STI-VS 3 RFC 5280 defines two classes of certs CA certificates MUST contain a Basic Constraints object with cA boolean set to TRUE Certificates private key can be used to sign another certificate in cert path End-entity certificates MUST either omit the Basic Constraints object, or contain Basic Constraints with cA set to FALSE

Certificate private key cannot be used to sign another certificate 4 RFC 5280 also defines three sub-classes of CA certs Self-issued certificate CA cert where the issuer and subject are the same entity Self-signed certificate (aka root cert) CA self-issued certificate where signature can be verified using certs public key Cross-certificate CA cert where the subject and issuer are different entities 5 Using cross-certs to delegate CA authority CA-1 can delegate its authority to another "delegate" CA-2 by issuing a crosscertificate to CA-2 The delegate CA-2 can then issue end-entity certs, chained to the cross-certificate

For domain certs, CA-1 can include a Name Constraints object in the crosscertificate to limit the Subject name-space of the end-entity certs issued by the delegate CA-2 6 Domain CA delegation example Delegate CA 2 cross-certificate (with constraints) Endpoint end-entity cert Cross-certificate Issuer: nationalCA1.com Subject: delegateCA2.com Basic Constraints: cA = true Name Constraints: *.delegateCA2.com CA2 public key Signature End-entity certificate

Issuer: delegateCA2.com Subject: subdomain.delegateCA2.com CA2 public key Signature Constraints CA intermediate/root cert Certificate path National CA 1 STI-CA Intermediate/Root Certificate Issuer: nationalCA1.com Subject: nationalCA1.com Basic Constraints: cA = true CA1 public key Signature 7 Leveraging cross-certificates for SHAKEN Customer AF case

STI-CA delegates CA responsibilities to TN Provider STI-CA issues a cross-certificate to TN Provider TN Provider then uses the cross-certificate to issue STI end-entity certs to its multiple Customer AFs STI-CA includes constraints in the cross-certificate that limit the scope of endentity certificates issued by the TN Provider (i.e., place limits on contents of TNAuthList (SPC and TNBlock)) 8 CA intermediate/root cert 1 Issue cross-certificate with constraints (ACME) TN Provider Delegate CA Cross-certificate Issuer: STI-CA Subject: TN Provider TNAuthList constraints TN Provider public key Signature cross-certificate (with constraints)

2 Issue STI end-entity certificates (ACME) Customer AF 1 Customer AF 2 Customer AF 3 STI cert 1 STI cert 2 STI cert 3 STI end-entity Certificate Issuer: TN Provider Subject: CAF-3 TNAuthList SPC value Customer AF TNs Customer AF public key Signature Constraints

STI-CA Root Certificate Issuer: STI-CA Subject: STI-CA STI-CA public key Signature STI-CA Certificate path Issuing STI certs to Customer AF using Delegate CA model 9 How are constraints established and enforced? The STI-PA authorizes constraints per TN Provider; constraints conveyed to STI-CA in SPC Token STI-CA issues cross-certificate with constraints authorized by STI-PA to TN Provider

TN Provider issues STI end-entity certificates to Customer AFs within scope of constraints Verification services verify that STI end-entity certificates honor constraints 10 The complete Customer AF certificate management flow STI-CA STI-PA CA intermediate/root cert 1 Get SPC Token with constraints 2 Order cross-certify cert with constraints (via ACME)

TN Provider Delegate CA 4 Store issued STI certificate cross-certificate with constraints 3 Order STI certificate 5 Download cert STI-CR URL Customer AF STI-CR STI certificate

Recently Viewed Presentations

  • Historic Temperature Record (Celsius)‏

    Historic Temperature Record (Celsius)‏

    Catastrophe Deconstructed A Critique of Climate Science and the theory of Catastrophic Manmade Global Warming Key science is explained in simple
  • Metropolia Ammattikorkeakoulu

    Metropolia Ammattikorkeakoulu

    Opiskelija soveltaa ansiokkaasti projekti- ja verkostotyöskentelyn perusteita ja osaamistaan alueellisessa, valtakunnallisessa tai kansainvälisessä kehittämistyössä.
  • Balancing Emotional and Cognitive Empathy

    Balancing Emotional and Cognitive Empathy

    Balancing Emotional and Cognitive Empathy: Viewing people and situations from different perspectives can lead to improved decision making and more successful outcomes. ... According to Merriam-Webster. the imaginative . ... Dr. Bloom goes through a number of studies illustrating how...
  • 1 The Modern System The Emergence of the

    1 The Modern System The Emergence of the

    The Modern System The Emergence of the World System Industrialization Stratification The World System Today Industrial Degradation Expansion of world system often accompanied by genocide, ethnocide, and ecocide Industrial Revolution greatly accelerated encompassment of world by states, all but eliminating...
  • Chapter 12 - Cell Cycle Key Concepts

    Chapter 12 - Cell Cycle Key Concepts

    During prometaphase, the nuclear envelope fragments, and microtubules from the spindle interact with the condensed chromosomes. Each of the two chromatids of a chromosome has a kinetochore, a specialized protein structure located at the centromere. Kinetochore microtubules from each pole...
  • Login to GotSoccerwww.gotsport.com/asp/users/login_menu.asp ...

    Login to GotSoccerwww.gotsport.com/asp/users/login_menu.asp ...

    In order for Indiana Fire Juniors to communicate quickly and accurately with all the teams we have asked that you communicate through GotSoccer using the support ticket system. To follow are the pages that explain the steps on how to...
  • Natural Resource Damages: Settlement Negotiation Issues and ...

    Natural Resource Damages: Settlement Negotiation Issues and ...

    Natural Resources & Trustees are Broadly Defined. Land, fish, wildlife, biota, air, water, ground water, drinking water supplies, and other resources belonging to, managed by, held in trust by, appertaining to, or otherwise controlled by the United States, any State...
  • Tour De France - Luton

    Tour De France - Luton

    Tour de France Stage 1 - Canterbury Finish 8 July 2007 ... CBRN Terrorist Attack Gas Leak Gas Explosion Grand Stand collapse Major Fire (near the race route) Air Crash Excessive Heat Overcrowding Tour De France Stage 1 The Day...