Reason to Issue Certificate of Service

Document Sample
Reason to Issue Certificate of Service Powered By Docstoc
					  eID validations services
      Houcine Bel Mamoune
           Unit manager


eID Technical Drill down Session for
   Financial Services - 15/12/2004
                                       1
      eID validations services

Introduction
eID CA profile and hierarchy
eID Repository
eID LDAP
eID CRL/delta CRL
eID OCSP
Q&A



                                 2
                                 2
Introduction


    eID Certificate
      Authority
                                                      PUK & PIN


                                                                   Citizen
                          Belgian National Register




  eID Card Manufacturer




                                                              Belgian municipalities




                                                                                       3
                                                                                       3
eID CA profile and hierarchy

 Belgium Root CA off line                                                 Citizen CA
                                                 Belgium Root CA
 CA Tree structure
 Relying party trusts the Belgium
                                                                   Chain of Trust
 Root CA key
                                                              Citizen CA
 Belgium Root CA issues Citizen Citizen CA
 CA certificates
 Relying party verifies certificate
 along a certificate path leading
 to the root.
                                 Auth. Citizen
                                 cert.
                                                   Sign. Citizen
                                                   cert.




                                                                                       4
                                                                                       4
eID CA profile and hierarchy

Certificate Serial Number (unique)
                                      Certificate Serial Number: 3214
Unique name identifying certificate
                                        Subject:
owner                                   Serial Number = 12345678901
                                        G = John Fitzgerald
Certificate usage (Sign./Auth.)         SN = Doe
                                        CN = John Doe (Signature)
                                        C = BE
Validity period (5 year)
                                                 Public key:
Public key
Issuer name & signature                    Validity: 1/07/2003 10:03:00
                                                     1/07/2008 10:03:00
Technical information
   Version (3)                                Issuer: CA-Name

   Signature algorithm                        Signature: CA
                                              Digital signature
   Authority info access
   …

                                                                          5
                                                                          5
eID CA profile and hierarchy
Authentication Certificate   Signature Certificate




                                                     6
                                                     6
 eID CA profile and hierarchy
Citizen CA CRL distribution point   Citizen CA Authority Key identifier




                                                                          7
                                                                          7
 eID CA profile and hierarchy
Citizen Certificates Authority Information   Citizen Certificates CDP
    access




                                                                        8
                                                                        8
      eID repository
eID CSP repository links:
   http://repository.eid.belgium.be is the eID CSP web site
   http://crl.eid.belgium.be
   http://certs.eid.belgium.be
   http://status.eid.belgium.be
     • Certificate Status Web Service: provide real time certificate status
     • Certificate Revocation List (CRL) Lookup Service
   http://ocsp.eid.belgium.be
   ldap.eid.belgium.be port 389
The new eID government web site:
   http://eid.belgium.be
         •   With link to Fedict and RRN web sites
Certipost eID web shop
   http://www.eid-shop.be




                                                                              9
                                                                              9
eID repository




                 10
                 10
                      eID LDAP
eID LDAP is the CA public directory:
   Accessible by using LDAP v2 on the host ldap.eid.belgium.be port
   389 base dc=eid, dc=belgium, dc=be




                                                                      11
                                                                      11
       eID CRL/ ΔCRL
Used to validate certificates
Include information such
   Issuer of the CRL
   Type of signature applied on the CRL
   Date and Time when the CRL is issued
   Date and Time of the next CRL update
   List of revoked certificates (Serial Number, Revocation date)




                                                                   12
                                                                   12
        eID CRL/ ΔCRL
Certificate revocation list profile
    Version                       v2

    Signature                     sha1RSA

    Issuer                        <subject CA>

    ThisUpdate                    <creation time>

    NextUpdate                    <creation time> + 7 days
    RevokedCertificates



      UserCertificate             <certificate serial number>

      RevocationDate              <revocation time>

    CrlEntryExtensions



      CRL Reason Code             certificateHold(6) (for suspended certificates)
                                  Note: Otherwise NOT included!

    CrlExtensions



      Authority Key Identifier    non-critical <subject key identifier CA>

      CRL Number                  non-critical <The CA operator assigned unique
                                      number>


                                                                                    13
                                                                                    13
        eID CRL/ ΔCRL
Certificate revocation list profile




                                      14
                                      14
        eID CRL/ ΔCRL
Delta CRL profile




                        15
                        15
              eID CRL/ ΔCRL
CRL/Delta CRL process
                      t0     t1   (= t0 + 3h)       t2   (= t1 + 3h) (= t0 + 6h)




            Serial number     Serial number              Serial number

            1000 0000 0000    1000    0000   0000        1000   0000   0000
            1000 0000 0001    1000    0000   0001        1000   0000   0001
            1000 0000 0002    1000    0000   0002        1000   0000   0002
CRL




                              1000    0000   0003        1000   0000   0003
                              1000    0000   0004
                              1000    0000   0005        1000 0000 0005
                                                         1000 0000 0006
                                                         1000 0000 0007




                              Serial number              Serial number

                              1000 0000 0003             1000 0000 0004
                              1000 0000 0004              (removeFromCrl)
Delta CRL




                               (certificateHold)         1000 0000 0006
                              1000 0000 0005             1000 0000 0007




                                                                                   16
                                                                                   16
                      eID CRL/ ΔCRL

    Current CRL size for the Citizen CA 2004 is about 3,04 MB
    Estimated entry per future CRL/ ΔCRL size is about 38 bytes / entry
   CRL size for 16 000 000 citizen certificates: 580 MB
   Needs CRL splitting schema by generating several Citizen CA’s
   Each CA will issue its own CRL and ΔCRL


     size issue !
       3 options to mitigate it:
         • Use ΔCRL
         • Generate several CA certificates
         • Use OCSP



                                                                          17
                                                                          17
eID OCSP

   The OCSP is OCSP V1 compliant (RFC2560).
   Suspended certificates will be marked as revoked since
   the “Suspended” status is currently not supported by
   OCSP.

Good       if the certificate is issued by the CA and if
               the certificate is valid

Revoked    if the certificate is issued by the CA and
               the status of the certificate is revoked
               or the certificate is suspended

Unknown if the certificate is not issued by the CA




                                                            18
                                                            18
eID OCSP
                                                   Belgium Root CA
Provide real-time status
information                                                                            CA DB

Decrease risk of using revoked                   Citizen CA
certificates
Return status good, revoked or
                                           CRL
unknown
                                                        ΔCRL
                                                                                       Web status
Use of OCSP URL from
certificate to gain access to the                                     OCSP responder

responder
                                                        OCSP Request:
                                                        Cert #123




                                                              Cert
                         Applications or                      #123       OCSP
                          relying party                       Alice      Client



                                                                                               19
                                                                                               19
OCSP versus CRL/ΔCRL


   Online                                            (Offline)
   Certificate                                       Certificate
   Status                                            Revocation
   Protocol                                          List

                        eID Validation Services




  Citizen        Your application      Back-office         Citizen
                                                                     20
                                                                     20
OCSP versus CRL/ΔCRL
                       OCSP                                CRL/Delta CRL


Access method              Online:                            Offline:
                            Transaction based relying        Download of the last CRL/DeltaCRL
                       on the OCSP server availability     before any validation
                             About no delays between         Local transaction
                       requests and answers                   Not synchronised with the online status;
                             Gets the effective and       maximum of 3 hours of delay if each
                       current certificates status         DeltaCRL is fetched
                             Requesting service must
                       be able to perform an online
Access protocol        OCSP request
                       HTTP                                HTTP(s)/LDAP


Local storage needed   NO                                  YES
                       Very limited as transaction based   Need to download and store locally at least
                                                           the last CRL/DeltaCRL;
                                                           It is disk storage consuming;

Internet bandwidth     LOW                                 HIGH
                       As transaction based                It will require a high bandwidth for
                                                           downloading CRL’s.
                                                            As every eID citizen’s certificate is first
                                                           suspended before being optionally activated
                                                            large CRL file

Signed answer          YES                                 YES
                       Answers are signed by the OSCP      CRL and Delta CRL are signed by the
                       responder private key               issuing CA private key
                                                                                                          21
                                                                                                          21
OCSP versus CRL/ΔCRL

  E.g. eID OCSP validations services could be used daily in
  conjonction with CRL/ ΔCRL as back up
  Choice between OCSP and CRL/ ΔCRL is depending on
  your business, on your risk assessment, …


 Most probably a balance between the 2 protocols




                                                              22
                                                              22
Thank
You !
        23
        23

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:10
posted:8/2/2011
language:English
pages:23
Description: Reason to Issue Certificate of Service document sample