eid validations services
DESCRIPTION
eID validations services. Houcine Bel Mamoune Unit manager eID Technical Drill down Session 7 April 2005. eID validations services. Introduction eID CA profile and hierarchy eID Repository eID LDAP eID CRL/delta CRL eID OCSP Q&A . eID Certificate Authority. Citizen. - PowerPoint PPT PresentationTRANSCRIPT
1
eID validations servicesHoucine Bel Mamoune
Unit manager
eID Technical Drill down Session
7 April 2005
22
eID validations services
Introduction
eID CA profile and hierarchy
eID Repository
eID LDAP
eID CRL/delta CRL
eID OCSP
Q&A
33
Introduction
eID Card Manufacturer
eID Certificate Authority
CitizenBelgian National Register
Belgian municipalities
PUK & PINPUK & PIN
44
Chain of Trust
Belgium Root CABelgium Root CABelgium Root CA off line
CA Tree structure
Relying party trusts the Belgium Root CA key
Belgium Root CA issues Citizen CA certificates
Relying party verifies certificate along a certificate path leading to the root.
Citizen CACitizen CA
Citizen CACitizen CA
Citizen CACitizen CA
Auth. Citizen Auth. Citizen cert.cert.
Sign. Citizen Sign. Citizen cert.cert.
eID CA profile and hierarchy
55
eID CA profile and hierarchy
Certificate Serial Number (unique)
Unique name identifying certificate owner
Certificate usage (Sign./Auth.)
Validity period (5 year)
Public key
Issuer name & signature
Technical informationVersion (3)
Signature algorithm
Authority info access
…
Subject: Serial Number = 12345678901G = John FitzgeraldSN = DoeCN = John Doe (Signature)C = BE
Public key:
Validity: 1/07/2003 10:03:00 1/07/2008 10:03:00
Certificate Serial Number: 3214
Issuer: CA-Name
Signature: CA Digital signature
66
eID CA profile and hierarchy
Authentication Certificate Signature Certificate
77
eID CA profile and hierarchy
Citizen CA CRL distribution point Citizen CA Authority Key identifier
88
eID CA profile and hierarchy
Citizen Certificates Authority Information access Citizen Certificates CDP
99
eID repository
eID CSP repository links:http://repository.eid.belgium.be is the eID CSP web sitehttp://crl.eid.belgium.behttp://certs.eid.belgium.behttp://status.eid.belgium.be
• Certificate Status Web Service: provide real time certificate status• Certificate Revocation List (CRL) Lookup Service
http://ocsp.eid.belgium.beldap.eid.belgium.be port 389
The new eID government web site:http://eid.belgium.be
• With link to Fedict and RRN web sites
Certipost eID web shophttp://www.eid-shop.be
1010
eID repository
1111
eID LDAP
eID LDAP is the CA public directory:
Accessible by using LDAP v2 on the host ldap.eid.belgium.be port
389 base dc=eid, dc=belgium, dc=be
1212
eID CRL/ ΔCRL
Used to validate certificates
Include information suchIssuer of the CRL
Type of signature applied on the CRL
Date and Time when the CRL is issued
Date and Time of the next CRL update
List of revoked certificates (Serial Number, Revocation date)
1313
Certificate revocation list profile
eID CRL/ ΔCRL
Version v2
Signature sha1RSA
Issuer <subject CA>
ThisUpdate <creation time>
NextUpdate <creation time> + 7 days
RevokedCertificates
UserCertificate <certificate serial number>
RevocationDate <revocation time>
CrlEntryExtensions
CRL Reason Code certificateHold(6) (for suspended certificates)Note: Otherwise NOT included!
CrlExtensions
Authority Key Identifier non-critical <subject key identifier CA>
CRL Number non-critical <The CA operator assigned unique number>
1414
Certificate revocation list profile
eID CRL/ ΔCRL
1515
Delta CRL profile
eID CRL/ ΔCRL
1616
eID CRL/ ΔCRL
Serial number
1000 0000 00001000 0000 00011000 0000 00021000 0000 0003
1000 0000 00051000 0000 00061000 0000 0007
Serial number
1000 0000 00001000 0000 00011000 0000 0002
t0 t1 (= t0 + 3h) t2 (= t1 + 3h) (= t0 + 6h)
Serial number
1000 0000 00001000 0000 00011000 0000 00021000 0000 00031000 0000 00041000 0000 0005
Serial number
1000 0000 00031000 0000 0004 (certificateHold)1000 0000 0005
Serial number
1000 0000 0004 (removeFromCrl)1000 0000 00061000 0000 0007
CR
L D
elt
a C
RL
CRL/Delta CRL process
1717
eID CRL/ ΔCRLCurrent CRL size for the Citizen CA 2004 is about 3,04 MB
Estimated entry per future CRL/ ΔCRL size is about 38 bytes / entry
CRL size for 16 000 000 citizen certificates: 580 MB Needs CRL splitting schema by generating several Citizen CA’s Each CA will issue its own CRL and ΔCRL
size issue !
3 options to mitigate it:
• Use ΔCRL
• Generate several CA certificates
• Use OCSP
1818
eID OCSP
The OCSP is OCSP V1 compliant (RFC2560).
Suspended certificates will be marked as revoked since the “Suspended” status is currently not supported by OCSP.
Good if the certificate is issued by the CA and if the certificate is valid
Revoked if the certificate is issued by the CA and the status of the certificate is revoked or the certificate is suspended
Unknown if the certificate is not issued by the CA
1919
eID OCSP
Applications or relying party
Citizen CA
OCSP responder
CRL
OCSP Client
Cert #123Alice
OCSP Request:Cert #123
Belgium Root CA
CA DB
Provide real-time status information
Decrease risk of using revoked certificates
Return status good, revoked or unknown
Use of OCSP URL from certificate to gain access to the responder
ΔCRLWeb status
2020
OCSP versus CRL/ΔCRL
Your application
(Offline)CertificateRevocationList
Online Certificate StatusProtocol
eID Validation Services
Back-office
Citizen
Citizen
2121
OCSP versus CRL/ΔCRL
OCSP CRL/Delta CRL
Access method Online: Transaction based relying on the OCSP server availability About no delays between requests and answers Gets the effective and current certificates status Requesting service must be able to perform an online OCSP request
Offline: Download of the last CRL/DeltaCRL before any validation Local transaction Not synchronised with the online status; maximum of 3 hours of delay if each DeltaCRL is fetched
Access protocol HTTP HTTP(s)/LDAP
Local storage needed NOVery limited as transaction based
YESNeed to download and store locally at least the last CRL/DeltaCRL;It is disk storage consuming;
Internet bandwidth LOW As transaction based
HIGHIt will require a high bandwidth for downloading CRL’s. As every eID citizen’s certificate is first suspended before being optionally activated large CRL file Signed answer YES
Answers are signed by the OSCP responder private key
YESCRL and Delta CRL are signed by the issuing CA private key
2222
OCSP versus CRL/ΔCRL
E.g. eID OCSP validations services could be used daily in conjonction with CRL/ ΔCRL as back up
Choice between OCSP and CRL/ ΔCRL is depending on your business, on your risk assessment, …
Most probably a balance between the 2 protocols
2323
Thank You !