Upload
stephany-burns
View
213
Download
0
Embed Size (px)
Citation preview
Path ConstructionPath Construction“It’s Easy!”“It’s Easy!”
Mark Davis
Current WP Scope
Applications that make use of public key certificates have to validate certificate paths.
Before validating a certificate path, it is first necessary to construct that path.
This means finding a set of certificates that appears to chain up to a trust point.
This white paper describes issues that implementers of PKI technology have to face when developing certificate path construction code, for example, considering issues with different sources of certificates (LDAP, databases etc) and how to avoid "loops".
So What is the Problem?
Does not seem to work in the real world Brought up as area of interest at first PKI
Forum Standards seem to address the problem Objectives:
– Identify parts of the task– Describe the problem– How can PKI Forum make progress?
Path Construction
Want to validate a certificate You have some trusted roots Each certificate has “issuer name”
– May have other information Path validation described in standards
– Start with root– Check each cert (cert, policy, revocation status)– When check of cert of interest complete, then
work is done
No Problem. Well …
Finding the certificates– Mostly an LDAP problem
Finding a path– Graph theory problem
Checking a path– Good news! Recognizable correct answer– Whose rules
• Certificate may or may not contain standard profile• Roots may be from different profiles
#1 Finding Missing Certificate
Can’t identify certificate– DN non proper– Cert storage not related to Issuer DN– LDAP
“Path Policy” may not use X.509 certificates– PKCS #7
Interdomain directory authorization problems
#2 Finding the path
Assuming you can find the certificates In real life, number of certificates well bounded Graph traversal algorithms well understood
– I admit that building routing algorithms is hard. But somebody else already did it.
– We do not introduce new problems Each Cert Issuer -> Issue Cert link must be
handled by SW Partial Path’s
– SW must parse partial path and maintain like as above
Other Problems
…
What does the paper need to say – Mark’s Version
LDAP is hard (see LDAP WP) Sometimes you don’t use LDAP to get
Certificates (see …) Graph Traversal is hard (see Knuth) Path construction is easy!
What does the paper need to say – WG Consensus Version
List the problems with LDAP Recommend protocols and business logic solve as
much as problem as possible Error Handling needs guidance CA-CA paper must give guidance to bound path
construction Path construction may be a resource intensive
– server may be better than on small device Environmental impacts described