Directories and PKI

Keith Hazelton

Senior IT Architect, UW-Madison

PKI Summit, Snowmass, 9-Aug-01

Agenda

• PKI and Directories: Complementary Middleware Services

• Directories for Certificate Management

• Directories for Authorization Information: Attributes and Roles

• Directory Support for Privacy and Other Security Services

• Work Items for Consideration

PKI and Directories are Complementary

• Credo: Middleware services assist application roll-out

• Applications bring people and services together

• …in a controlled fashion

• We need both directory and security services to do apps

• But PKI and Directory complementary in a stronger sense

• Most I’s in PKI hand off key functions to directories

• Not all do (see PKI Ultra-Lite)

• Secure directories of the future may leverage PKI for PAIN

– Privacy, Authentication, Integrity, Non-repudiation

Directories for Certificate Management

• Certificate management services via directories

• Certificate Repository

• Where apps can find X.509 certificates

• Find the person entry, then look for userCertificate attribute

– Carl Ellison asks: How do you know you’ve got the right Tom Smith?

• Open question: as we issue multiple certificates, how do we get the right one?

Directories for Certificate Management

• Certificate Revocation Lists (CRLs)

• Certs can contain a CRL Distribution Point extension

• That extention MAY contain a URI pointing to the CRL

• Needed because vision of a global X.500 directory remains just that

• An alternative to CRLs is the Online Certificate Status Protocol (OCSP) service

• Certs can contain an Authority Information Access extension

• That extension MAY contain the name for an associated OCSP server

Directories for Certificate Management

• Certificate Repositories and CRLs

• Commercial PKI software suites may do this for you

• However, you will need to integrate with enterprise directory

• If you roll your own PKI, this is an item on the long list of tasks

• NOTE: PKI Lite and Ultra-Lite can live without directories

• Signed, encrypted email

• Simple access control to web pages

Directories for Authorization Info

• Attributes and Roles tend to live in directories

• Good place to put them so apps can find them easily

• Proposed principle: Whatever else we do, let’s issue simple Identity certificates as a first step

• Why?

• Such a cert merely asserts a binding between a public key and a principal (a person, for this discussion)

• That assertion is likely to remain valid for some time

• Lessens frequency of revocation, reissuance

• But it creates a need for tight PKI-Directory integration

• PRIVACY ALERT!!! Threat to anonymity

Directories for Authorization Info

• Identity certificates and PKI-Directory integration

• Use the certificate for the authentication step

• Access control decisions depend on role-service mappings

• Roles are carried by authenticated principals

• So given a cert, app must be able to learn more about the subject

• Subject field in the certificate is a Distinguished Name (DN)

• So if we know where to look, we can ask more about subject

Directories for Authorization Info

• Identity certificates and PKI:

• Where should we go to ask more about subject?

• A good use for the Directory of Directories for Higher Education (?)

• For Federal PKI, reliance on X.500 chaining and referrals (?)

• What about apps that are supposed to work in both domains?

• Once you’ve found the directory, a simple lookup will find the subject’s full entry

Directories for Authorization Info

• More on Role-Service Mappings:

• Our policies (institutional and inter-institutional) will determine which roles (or groups) are eligible for which services

• In turn, roles and groups are defined by policy or business practice

Directories for Authorization Info

• More on Role-Service Mappings:

• Directories are the logical place to express roles and group memberships

• Groups in directories is a current hot item for MACE-Dir

• Communities of interest will need to define roles and groups

• Communities of interest will need to be in deep agreement

• Two basic varieties of groups: attribute based and ad hoc

Directories for Authorization Info

• What if we opt for attribute certificates?

• The directory is still the place to find authoritative attribute assertions from which to build attribute certificates

• Shifts the burden of community of interest agreement from directory schema to attribute certificate profiles

Directory Support for Privacy

• PRIVACY ALERT!! A simple Identity certificate will lead you right to the cache of information in the bearer’s directory entry

• One counter-measure: Control access to directory

• Means directory clients must themselves authenticate to directory

• Means non-person security principals

• Means directory support for access control information

– How fine-grained?

– Not yet standardized (LDAP-Ext work in progress)

• Another avenue: Pseudonymous Identity Certificates

• The DN of the subject of a pseudonymous cert reveals nothing about the subject

Directory Support for Privacy

• Pseudonymous Identity Certificates:

• Inspired by DLF, shaped by MACE-Shibboleth

• The DN of the subject of a pseudonymous cert reveals nothing about the subject

• Paired with authenticated binds to the directory, a powerful privacy protection mechanism

• “I’m App X, tell me about “XhJSedrtE’”

• But means more work for the PKI-Directory Integration Team

• And if persistent, nefarious interests can leverage it

Directory Support for Info Integrity

• The higher the risk, the more we must secure our directories

• One aspect is directory client confidence in the returned attributes

• Signed assertions as attributes in the directory

• I can decide if I trust the signer of the assertion

• I can be assured that the attribute value has not been altered in transit

• See Oasis-open work on Security Assertions Markup Language (SAML)

• Rare vendor convergence (except MS) on ways to express authentication and authorization assertions

Caution: Work Zone Ahead

• Repositories and CRL services in roll-your-own PKIs

• Integration of PKI Suite repositories with enterprise directory

• How do we get the right cert from the repository?

• Picking the apps to work on first (avoiding insanity and ennui)

• Community of interest role definition and maintenance

Caution: Work Zone Ahead

• Support for pseudonymous identity certificates

• Support for privacy and other security services (big)

• Oh yes, what about support for mobility (IETF-Sacred)

• OID-vey

• Policies are coming: CP, sure, but DP!?!?!

Your Turn

• Q & A & Discussion