This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
• PKI is based on trustworthiness asserted and enforced by a Policy Authority and expressed through the credentials issued by Certification Authorities under a federation.
• Shibboleth is based on trusting participants to abide by established community standards and rules. Contracts are required.
• Grid Services accept certificates as valid credentials if they are signed by trusted authorities.
• Further develop the Australian HE Trust Fabric• Implement the Trust Model that supports the Trust Fabric• Aid further integration with Shibboleth and Grid Technologies• Seek Australian HE input
– Technical Working Group Mailing list ([email protected])– Wiki – Test and evaluate available technologies for certificate management systems– Further develop Interoperability test– Input into draft CP/CPS– Revision of Certificate Profile – Questions/Comments: [email protected]– www.esecurity.edu.au
From ITU-T Recommendation X.509/ISO/IEC 9594. The directory: public-key and attribute certificate frameworks:Generally, an entity can be said to “trust” a second entity when it (the first entity) makes the assumption that the second entity will behave exactly as the first entity expects. This trust may apply only for some specific function. The key role of trust in this framework is to describe the relationship between an authenticating entity and a authority; an entity shall be certain that it can trust the authority to create only valid and reliable certificates.
From the Online Ethics Center for Engineering and Science <http://onlineethics.org>Trust is confident reliance. We may have confidence in events, people, or circumstances, or at least in our beliefs and predictions about them, but if we do not in some way rely on them, our confidence alone does not amount to trust.
Reliance is a source of risk, and risk differentiates trusting in something from merely being confident about it. When one is in full control of an outcome or otherwise immune from disappointment, trust is not necessary. It is, of course, possible to rely on other people or on circumstances simply because one lacks other options.
Basis for confidence in relying on some person may not be morally sound. Trust may be naive or otherwise ill-founded. In that case it is likely to be disappointed. Trust may also rest on a morally unsound foundation as when, for example, one party feigns trustworthiness or behaves reliably only because the other party dominates. Philosopher Annette Baier offers as a test of the moral soundness of trust relationships that they thrive rather than wither when the basis for confidence is revealed.
From F. Fukuyama, Trust: The Social Virtues and the Creation of Prosperity Trust is the expectation that arises within a community of regular, honest, and cooperative behavior, based on commonly shared norms, on the part of other members of that community.
From M. Sako, Prices, Quality, and Trust: Inter-firm Relations in Britain and Japan Trust is a state of mind, an expectation held by one trading partner about another, that the other behaves or responds in a predictable and mutually expected manner.
From E. Lorenz, Trust, Contract and Economic CooperationTrust can be defined as the judgment one makes on the basis of one's past interactions with others that they will seek to act in ways that favor one's interests, rather than harm them, in circumstances that remain to be defined. Trusting judgments inevitably remain tentative, rather than certain, since they are based on a limited knowledge of others rather than a precise calculation of their interests."
From WikiPedia <http://en.wikipedia.org/wiki/Trust_(sociology)>Trust in sociology is a relationship between people, or between people and social institutions such as a corporation or government. It is the belief by one person that another's motivations towards them are benevolent and "honest“ ….
The work of Barbara Misztal attempts to combine all notions of trust together. She points out that there are three basic things that trust does in the lives of people. – It makes social life predictable, – It creates a sense of community– It makes it easier for people to work together.
No proactive identity check has been provided to the RA. However identity information has been provided by a body that the RA has a trust relationship.Example: A student being enrolled in at least one subject is sufficient for the certificate issuing however identity information has only been supplied by QTAC (or similar state body).
Level 2
Subject is required to provide proof of identity by an in-person appearance to the RA. However the individual for what ever reason can not provide the required 100 points of identification.Example: A contractor, who is at an institution for a short time but needs access to a system protected by PKI, may not have enough credentials on her person to meet the 100 points check but can provide some credentials like a drivers licence and/or credit card.
Level 3
Subject is required to provide proof of identity by an in-person appearance to the RA. That proof should accrue to at least 100 points of identity.Example: A foreign staff member that has a valid passport and has a written reference from an acceptable referee.
Level 4Subject is required to provide the same information for Level 3 certification in addition to a positive check to be conducted by an appropriate external agency.
• Trust Anchors are self-signed certificates.– A Relying Party usually chooses its Trust Anchor.– Typically it’s the Trust Anchor of their Organization.– Or …
• Trust List.– CAs trusted by a particular application vendor.– CAs manually added to a Trust List. (But by who?)
• Sometimes it not obvious who is your Trust Anchor. – Need to click on the Padlock.
• Two CAs must have trust relationship to form link. Either– One must be subordinate to other or– Must be Cross-Certified. (Unilateral or Bilateral?)– Relationships should be forged due to common policies or
procedures or interests. Otherwise there is a dilution of trust.
• Must be able to locate and retrieve candidate CAs for chain– Don’t need end entity’s certificate. Already have it.– Some protocols can provide them. SSLv3/TLSv1,
S/MIME.– Some certificate attributes can hint at where to find them.
• Authority Information Access Extension.– Some X.500 or LDAP directories can contain them.
• Can’t construct path, can’t construct “sense of trust”.
• Once path is constructed each link of chain must be checked.– Is integrity of certificate sound? Issuer signature must be verified.– Is the certificate being used within its validity period?– Has certificate been revoked?
• Not trivial pursuit. Need external information. CRL. OCSP. • Where do I find these? Some X.509 extensions hint at
locations.– Has it been used for its intended purpose?– Is the candidate path too long?– Does one of the CA certificates prohibit the candidate path?– Does one of the CA certificates prohibit the policy of another?
• Can’t validate path, can’t construct “sense of trust”.• If path doesn’t validate sirens go off.• If path does validate (suddenly) nothing happens.
– But who does my application think is the trust anchor and how did it get there? Check the Padlock.
• X.509 and RFC3280 imprecise about Certificate Path Processing.– Has lead to vendor inoperability problems.– Common applications can’t do dynamic path construction.
• Netscape/Mozilla/Firefox. – Others do it but with varying degrees of success.
• Microsoft Windows CryptoAPI (IE, Outlook)• Authority Information Attritbute
– Can get third party CPP engines. • Entrust Entelligence.
– CPP can be very intensive and untimely for relying party.• Delegated Path Construction and Validation. (DPP and DPV.)
– Certificate Authority Module. (CAM)• Freely available.• Used by HEBCA and FBCA.
– Simple Certificate Validation Protocol (SVCP).• Coming soon to a RFC near you.
– W3C XML Key Management Specification (XKMS). • Total refactoring of PKI way from ASN.1
• eSecurity Framework Project follows on from the CAUDIT PKI and has the goal to develop a production PKI– Initial architecture was developed and a proof of concept CA was
designed and built. – Fully hierarchical CA test environment, now version 0.2 test
environment– Developed Draft CP/CPS
• www.esecurity.edu.au• Requested Feedback from
– Technical Activities Group (pkitag)– HEBCA, FBCA and others
– Issued CA Certificates• Victoria University• Monash University• The University of Queensland
– Participant Universities Issued End User Certificates
• OpenCA used for the initial test environment– 4 CAs on one test infrastructure– 4 RAs on another test infrastructure– RootCA on own host– Both CA hosts are kept entirely off the network
• Difficulties encountered getting them to all work together on the one host system – testing purposes
• OK, so that’s a manpage, but how do I do anything?openssl req -new
• By default, this will expect you to then enter a number of attributes for the CSR, namely:% openssl req -newGenerating a 1024 bit RSA private key...................++++++..........++++++writing new private key to 'privkey.pem'Enter PEM pass phrase:Verifying - Enter PEM pass phrase:-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----
Country Name (2 letter code) [AU]:State or Province Name (full name) [Some-State]:Locality Name (eg, city) []:Organization Name (eg, company) [Internet Widgits Pty Ltd]:Organizational Unit Name (eg, section) []:Common Name (eg, YOUR name) []:Email Address []:
Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:-----BEGIN CERTIFICATE REQUEST-----MIIBhDCB7gIBADBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5r4pU/y6f+WkLhZwPx2dtLYVYBNnsuiSma9Fj5B3L+VU4ueaSCSdypiFDA9hrlctJKOlRT4HxigcI2gnbif2KicFDoX9SxXfcaAwSQ2zB74T2g6Z5sH44XRsu+o+KADrNlIas0ugF8Ute6kU5iLzO+weeR5hXeEe7mTznPv23gQIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEAGVhKddSY2htMkgSliEFJmwHBUpPHWJnknRao9WYrkq0o05LhtT5KAUTYQ5VA+rjbtsNjWYM6tcyVcvHz/EfqHqaoWMFCErut5FC2WNrH08T7NfCSMBk30kvXnVSJPoO5fY5ieXHJY4PkjgEBOnCgGgkfRd6YSH8D/ndemFYQG8o=-----END CERTIFICATE REQUEST-----
• CA Extensions to use for the Self-Signed CA [ v3_ca ] basicConstraints = CA:truesubjectKeyIdentifier=hashauthorityKeyIdentifier=keyid:always,issuer:alwayskeyUsage = cRLSign, keyCertSignsubjectAltName=email:copyissuerAltName=issuer:copy
• Actually Signing the Certificate with its private key% openssl x509 -req \-in myhost_woolloomooloo_edu_au.pem.csr \-extfile openssl_test_v3_ca.cnf \-extensions v3_ca \-signkey myhost_woolloomooloo_edu_au.pem.key \-out myhost_woolloomooloo_edu_au.pem.crtSignature oksubject=/C=AU/O=The University of Wooloomooloo/OU=Information Technology