Determining Equivalence between Certificate Policies for Purposes of Cross-Certification Jimmy C. Tseng Assistant Professor of Electronic Commerce Rotterdam

Determining Equivalence between Certificate Policies for Purposes of Cross-Certification

Jimmy C. TsengAssistant Professor of Electronic Commerce

Rotterdam School of Management Erasmus University Rotterdam

Tel: +31-10-408-2854 Fax: +31-10-408-9010 Email: [email protected]

mailto:[email protected]

TERENA PKI-COORD Meeting, Amsterdam, 26 Nov, 2001

2

I. Cross-certification

The certification of one CA by another in order for a verifier to construct and verify certification paths across PKI domains

Construction of certification pathsLevel of directory supportScalability across organisationsHarmonise certificate policies


3

Sub-ordinated HierarchiesTop-down from Root CASimple path constructionLow directory dependencyWeak scalability across organisations

Root CA

Subordinate CA(level 2)






4

Cross-certified meshesPair-wise between CAsDifficult path constructionHigh directory dependencyMedium scalability across organisations

Local CA ELocal CA BLocal CA A Local CA DLocal CA C


5

Hybrid modelTop-down or pair-wiseMultiple paths may exist, but simple

path knownModerate directory dependencyMedium scalability across organisations


Local CA B(level 1)

Local CA A(level 1)




6

Bridge CAPairwise with Bridge CASimple, all non-local paths traverse bridgeMedium directory dependencyScaleable across organisations

Bridge CA(cross-

certificationauthority)


CA B(level 1)

CA A(level 1)



CA C(level 1)


7

Trust list

Recognition by verifiers

Simple but limited to paths that begin within the trust list

Low directory dependency

Fair scalability, requires intensive management


8

II. Certificate PolicyCP defines “applicability of a certificate to a pa

rticular community and/or class of application with common security requirements”

CP used by “certificate users to decide whether or not to trust a certificate for a particular purpose”

“Any one certificate will typically declare a single certificate policy or, possibly, be issued consistent with a small number of different policies.” – RFC2527


9

Object Identifiers

“A certificate policy, which needs to be recognized by both the issuer and user of a certificate, is represented in a certificate by a unique, registered Object Identifier. The registration process follows the procedures specified in ISO/IEC and ITU standards.” – RFC2527


10

Looking up a Certificate Policy

Currently no standard means of looking up an OID

How to use OIDs to represent different policy dimensions?

“The party that registers the Object Identifier also publishes a textual specification of the certificate policy, for examination by certificate users.”

Is the certificate user forced to revert back to the CPS?


11

III. PKI Interoperation Component-level Interoperation

(standards) Application-level Interoperation

(cross platform compatibility) Inter-domain Interoperation

(harmonise certificate policies)

CA A

Domain A

Entity A

Application A

CA B

Domain B

Entity B

Application B

Trust (1)(1)

(2)

(3)


12

PKI Interdomain Interoperation

Interworking of CAs across different administrative and trust domains

Requires common or equivalent certificate policies (CP) and certification practices (CPS)

Harmonising CP and CPS are fraught with difficulties (e.g. cross-certification, policy constraints, certificate path validation)

CAs operate from different jurisdictions

IV. The Fiducia ProjectModelling the risks in

interoperable public key infrastructures

Working TogetherSpreading TrustSecuring Value


14

Modelling Contractual Risk in PKI Relationships

Modelling Business Risk in Electronic Transacting

Modelling Contractual Obligations and Liability in PKI

Non-legislative standards governing provision and use of PKI

Subject A Subject B

RP AGood and services

Payment

CA BCPS B

CA ACPS A

GoveranceStructure

Contractual arrangements

SubscriberAgreement A

Relying PartyAgreement A

SubscriberAgreement B

InteroperabilityAgreement


15

CA DatabaseDatabase of 110 public facing CAs

from 33 countries in 16 languages


16

CPS DatabaseFull-text collection of CPs and CPSs


17

Legal AnalysisLegal and Semantic AnalysisClarifying Roles, Obligations and

Liabilities of all parties in PKI

Model Framework

Legislation

CPS1 CPS2

Semantic Schema - entities and rules

Semantic elements

Substantive rules

Procedural rules

Coding scheme

Specification language

Support for retrieval, query, and modelling

CPS3


18

Semantic AnalysisOntology of affordances (possible behaviour

s)Norms (that trigger actual behaviours)

State#

Subject#

TTP #

Digital Certificate #

Person#Corporate#Server#

CA#RA#IA#

(certificate holder)

Issued to

(public key)assigned

pair#

vets

cryptographic key#(private key)

(verifi

ed subject)

(subscriber certificate)

contains


19

Tools for Determining Equivalence between Certificate Policies

From certificate path validation to determining certificate policy equivalence

Textual database of certificate policy dimensions

Specification of similarities and differences across certificate policy dimensions

Basis for policy mapping and cross-certification

Documents

Determining Equivalence between Certificate Policies for Purposes of Cross-Certification Jimmy C. Tseng Assistant Professor of Electronic Commerce Rotterdam