Public Key InfrastructuresPublic Key Infrastructures

Evolving ApproachesEvolving Approaches

30-December-1998 Copyright(c) Yale University 1998 2

Brief Sordid HistoryBrief Sordid History

X.500 Directory AuthenticationX.500 Directory Authentication– Beginnings of the X.509 StandardBeginnings of the X.509 Standard

PEM - Privacy Enhanced MailPEM - Privacy Enhanced Mail– A Vote of ConfidenceA Vote of Confidence

PGP - A Radical DeparturePGP - A Radical Departure Netscape SSL - First “real” Netscape SSL - First “real”

ApplicationApplication– Make-do ApproachMake-do Approach

30-December-1998 Copyright(c) Yale University 1998 3

We Need a PKI!We Need a PKI!(so what (so what isis it exactly?) it exactly?)

An Open Purchase Order to An Open Purchase Order to Verisign?Verisign?

A Software Package Allowing for A Software Package Allowing for the Creation of Certificates?the Creation of Certificates?

A Detailed Legal Statement A Detailed Legal Statement Indemnifying the Institution Indemnifying the Institution Against Lawsuits?Against Lawsuits?

30-December-1998 Copyright(c) Yale University 1998 4

Enter PKIXEnter PKIXAddressing the Sum Total Angst of the Addressing the Sum Total Angst of the

CommunityCommunity

C erti fica te & C RLProfi les

O pera tiona lProtocols

M anagem entProtocols

PolicyO utl ine

PK IXS cope

30-December-1998 Copyright(c) Yale University 1998 5

Infrastructure TrendsInfrastructure Trends

Increased focus on the Local over Increased focus on the Local over the Globalthe Global– Support for more comprehensive local Support for more comprehensive local

namespacenamespace– Cross certification supportCross certification support

Certificate Policy No Longer Tied to Certificate Policy No Longer Tied to CA “ancestry”CA “ancestry”

30-December-1998 Copyright(c) Yale University 1998 6

Subject Alternate NameSubject Alternate Name

rfc8 2 2 N am en ew m an -an d y@ ya le .ed u

d N S N am eotto .its .ya le .ed u

iP ad d ress1 3 0 .1 3 2 .2 1 .5 0

U R Ih ttp ://w w w .foo .b ar/d oc .h tm l

su b jec tA ltN am eseq u en ce o f

(on e o r m ore)

Provides tagged Provides tagged local namespacelocal namespace– Alternative to Alternative to

overloading DN overloading DN fieldsfields

Allows for more Allows for more common “Internet common “Internet centric” namingcentric” naming

Null DN allowed for Null DN allowed for non-CA certificatesnon-CA certificates

30-December-1998 Copyright(c) Yale University 1998 7

Certificate PoliciesCertificate Policies

p o lic yId en tifie r

cP S u ri(o r)

u serN o tice

p o lic yQ u a lifie rsseq u en ce o f

(ze ro o r m ore )

ce rt ifica teP o lic iesseq u en ce o f

(on e o r m ore )

Provides locally Provides locally interpreted OIDinterpreted OID

Optional qualifiers Optional qualifiers provide reference to provide reference to CPS statement & CPS statement & summary textsummary text

PolicyMappings PolicyMappings extend policies to extend policies to cross certified trust cross certified trust treestrees