??ࡱ?>?? W????????V??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????2?(`??? ?&/? 0??0?DTimes New RomanЭ?????d? 0?? & 0?DSymbolew RomanЭ?????d? 0?? & 0 ?DMonotype SortsЭ?????d? 0?? & 00?DArial Unicode MS?????d? 0?? & 0??f???? ? .??@  @@``???  @?n???" dd@?????????  @@``?? ???@??q*&3? 2     + S ?~??????????1???????????0? ??????n?@???8???????g??4MdMdd? 0??z???????p?pp?0 ? <?4BdBd???@ 0???u?ʚ;2N??ʚ;<?4!d!d???= 0??<?4dddd???= 0???F?>?___PPT9? /? 0?z??r?-?:February 21, 2003. Amsterdam. ?Donkey ProjectO? ?=?'???-Donkey Project Introduction and ideas around?0./$ ??5February 21, 2003 Yuri Demchenko ?"6$"?$ ?B5?? Outlines ?  ???Problems in traditional PKI and Identity Management Donkey goals Donkey Functionality Design issues Timetable Next steps Discussion: Where the Donkey can be of use for RIPE NCC?*?,?,? 4  q ?xJ??'Problems in PKI and Identity Management?((?' ???X.509 PKI is a heavy-weight solution and usually enterprise oriented: Requires Certificate Authority (CA) to create and trust a certificate (PKC) Certificate creation/revocation mechanism is complex, slow and expensive LDAP as a standard mechanism to publish X.509 Certs is not easily extensible and (generically) not globally scaled Distributed applications and mobile users require secure remote access to electronic credentials and identity information P2P networks normally (based on DHT) require non-hierarchical (non-PKI) security infrastructure Advent of XML/SOAP based standards for SSO/Identity management creates technological alternative for traditional PKI and PMI?6G WG W? ??l>??Donkey and DNSSEC? ???DNSSEC can be a source of public keys for zones/nodes but it's not intended to provide this service for other applications: Intended for host names, not arbitrary names Updates are slow (propagation through caches, administrative overhead) Requires DNSSEC protocol for public key access/request (standard request for KEY and SIG RRs) Donkey can provide (shadow/alternative) key distribution infrastructure using application specific protocols to off-load DNSSEC?6}??}???K??G:??Donkey Goal(s)?? ??*Open extendable system for public key and Identity management Initial stage Open global distributed system for publishing and retrieving named, signed public keys Intended development Identity management for federated cross-domain AuthN and AuthZ Donkey website: http://www.nlnetlabs.nl/donkey/?R+@""W"p?i;??$What is Donkey: Donkey functionality??'Donkey allows anyone to publish a named key, together with optional data (Donkey package) Multiple parties are allowed to publish a key with the same name. Applications must select the correct key when multiple keys match Donkey is NOT a permanent storage: key must be republished to remain available Donkey does NOT define a policy for key/payload usage This is an application specific function Donkey allows anyone to query for a published key, based on the key's name (required) and signers (optional) Donkey allows anyone to sign a published key ??Z )?Z??)?  ?n@?? Design issues: Package structure??U(Proprietary) Internal format (Python data object) but XML based exchange format Package ID Content Header Flags Names Owner Public Key must be unique Body Payload Application dependent content and format Intended for AA and Identity management May include specific format definition (e.g., embedded XML Schema) Signatures??QZZZ ZZ!ZZZ?Z ZQ  ! ? ?rI??Design considerations???Build upon existing solutions and standards But still capable to do a low start Gradual development Build up upon key storage/management engine XML for package extensibility and exchange Including prospective use of the XML Protocol ?t,$,,/,$,,/ ?vE??,Existing OpenSource solutions for AA and PMI?--? ??/Donkey will be built upon existing PKI and AA applications: PGP Key Server Internet2 PubCookie/WebISO and Shibboleth/AA PAPI (AuthZ and Web SSO) A-Select (AuthZ and Web SSO) PERMIS (PrivilEge and Role Management Infrastructure Standards Validation Project) Akenti (cross-domain AA for Grid applications)?<?0?PU Q B(?yK??!Standards for security assertions?"" ???PGP X.509 Public Key Certificate (PKC) X.509 Attribute Certificate (AC) for Privilege Management SAML (Security Assertion Mark-up Language) Liberty Alliance Network Identity (XML and SAML based) Web Services Security (SOAP Extensions)????uD??PKC vs AC: Purposes??X.509 PKC binds an identity and a public key AC is a component of X.509 Role-based PMI AC contains no public key AC may contain attributes that specify group membership, role, security clearance, or other authorisation information associated with the AC holder Analogy: PKC is like passport, and AC is like entry visa PKC is used for Authentication and AC is used for Authorisation AC may be included into Authentication message PKC relies on Certification Authority and AC requires Attribute Authority (AA) ??W?@/OW?@/O?|N??jX.509 PKC Fields and Extensions  check with RFC 3280?6"??\X.509 PKC Fields Serial Number Subject Subject Public Key Issuer Unique ID Subject Unique ID?&LL ??:X.509 PKC Extensions Standard Extensions Authority Key Identifier Subject Key Identifier Key Usage Extended Key Usage CRL Distribution List Private Key Usage Period Certificate Policies Policy Mappings Subject Alternative Name Issuer Alternative Name Subject Directory Attributes Basic Constraints Name Constraints?:?}O??X.509 PKC Extensions format??qIdentifier: Key Usage: - 2.5.29.15 Critical: yes Key Usage: Digital Signature Key CertSign Crl Sign ?rr?\?zL??!AC vs PKC: Certificates structure?"" ??}X.509 PKC Version Serial number Signature Issuer Validity Subject Subject Public key info Issuer unique identifier Extensions?* t t ??`AC Version Holder Issuer Signature Serial number Validity Attributes Issuer unique ID Extensions?*^^?{M??$AC Attribute Types and AC Extensions??{AC Attribute Types Service Authentication Informaion Access Identity Charging Identity Group Role Clearance Profile of AC ?*ii?* G ???AC Extensions Audit Identity To protect privacy and provide anonymity May be traceable via AC issuer AC Targeting Authority Key Identifier Authority Information Access CRL Distribution Points?VI[I[?qH??Donkey Project milestones???Overview and inventory/planning - current stage Selected basic technologies and development environment Overview document March-April: Prospective applications area overview Requirements (common and specific for applications) Draft Package and Protocol description/definition April-May: API(s) definition and Donkey prototyping API requirements June-August: Development and pilot implementation for 1-2 applications??0J5f4H0J5f4H?oA??Donkey current status??Just started work on Donkey prototype Key generation (DSA or RSA keys) Creating a new Donkey package Add and verify signature to/of an existing Donkey package Data model and XML DTD/Schema for Donkey packages Goal: Create a base for experiments with application specific payloads ?`&?G&?G?tG??Some specific next tasks???Overview of existing solutions for AA and Identity management Analysis of applications specific requirements Scalability analysis Trust analysis Threats analysis ?&??/?? P?????T? `? ????????f??????`? ???3?????????????`? ???___?????????????>???" dd=??????????????" dd?=?????????????uA?4? d?O?" ?i ?n???" dd??????????   @@``P?P   4 O i`? p?@??@    ? ?)? ?( ? ??p ? ? ?H??????d???? ?'W??? ? ? ?Z?X???a????a?????????? ??x8???? ? ?T?? Click to edit Master title style?!? !?: ? ? ?T????a????a????????? ??Sg??? ? ???RClick to edit Master text styles Second Level Third Level Fourth Level Fifth Level?!    ? S?  ?  ?`?l???a????a??????????? ?? ????? ? ?b???*? ???=44OOii?  ?   ?`?$/?a????a??????????? ?? `???  ? ?b??*? ???=44OOii?& ?!  ?`?0 /?a????a??????????? ??!????? / ?~??Slide2_*?(  ???=44OOii?Z?F ?1?lY ?$ ??~???~ ?" ? ?N?????????2?????1?l$?~ ?# ? ?N?????????2?????1IlY??F ??? ?) ???c?8 ?% s ?B?C{DE?8F?@??????????????????@????????F??h??=?Zhz?zFz?\F3? @???????????????????0 ?& s ?B?C?DE?4F?<??????????????????@????? ????i??<?????<??#i?????@???????????????g?5?0 ?' s ?B-C?DE?4F?<??????????????????@????? ??o?????*l??,J??????Jz?o@???????????????Arn*? ?( ? ??BKCoDE?4F?<?????????? ??(%+(J27JQ+E%nEQ7@???????????????????H ? ? ?0??@??޽h??? ?? ??????????f?????? ?International?? ? ??@?% ?E?( ??4p? ~?p? ? ?^ ? ? ?6??????? ?@_??p ? ? ?H??????d???? ??_??? ? ? ?Z??1?a????a?????????? ???????? 1 ?T?? Click to edit Master title style?!? !?? ? ? ?Z??d/?a????a?????????? ??HZjG ?? 1 ?W??#Click to edit Master subtitle style?$? $? ?  ?`?d?/?a????a??????????? ???????? 1 ?\??*????=44OOii? ?  ?`?\/?a????a??????????? ???S ???  / ?^??*????=44OOii? ?  ?`?"1?a????a??????????? ???????? / ?n??Slide 2_*?  ???=44OOii?H ? ? ?0??@??޽h??? ?? ??????????f?????????? 0 ??`??*?( ? ?? ? ? ?T??1?jJ??jJ??????? ???? K1??  1 ?h??*? ?? ? ??? ? ? ?T???1?jJ??jJ??????? ????? ?1?? 1 ?j??*? ?? ? ???p ? ? ?0?????1? ???B?L ?? 1?: ? ? ?T??1??g?ֳ??g?ֳ?????? ??? V??? 1 ???RClick to edit Master text styles Second level Third level Fourth level Fifth level?!    ? S?  ? ? ?Z???1?jJ??jJ???????? ??? K???  1 ?h??*? ?? ? ???  ? ? ?Z???1?jJ??jJ???????? ???? ???? 1 ?j??*? ?? ? ???H ? ? ?0??޽h?9???? ?? ??????̙33????????? ??P??0?( ? ??H ? ? ?0???޽h?9??? ?? ??????̙33??????????? 0?(0????( ? ??? ? # ?l??+1?g????g????????????? ? ??x$?? 1 ? ??? ? # ?l?\,1?g????g????????????? ? ?H????? 1 ? ??H ? ? ?0???@??޽h?? ?? ??????????f????????? ? ??p???0?( ? ???x ?? c ?$?4?1???x8????  1 ? ??x ?? c ?$???1???Sg??? 1 ? ??H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? ?????x?$?( ? ?x?r ?x S ????1???x8????  1 ? ??r ?x S ??L?1???Sg??? 1 ? ??H ?x ? ?0???@??޽h?? ?? ??????????f????????? ? ????H?0?( ? ?H?x ?H c ?$???1????x8????  1 ? ??x ?H c ?$?D?1????Sg??? 1 ? ??H ?H ? ?0???@??޽h?? ?? ??????????f????????? ? ???????$?( ? ???r ?? S ??<T???x8????  T ? ??r ?? S ???T???Sg??? T ? ??H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? ?????<?$?( ? ?<?r ?< S ??`?1???x8????  T ? ??r ?< S ????1???Sg??? 1 ? ??H ?< ? ?0???@??޽h?? ?? ??????????f????????? ? ?? ?P?0?( ? ?P?x ?P c ?$?P?/????x8????  / ? ??x ?P c ?$? ?/????Sg??? / ? ??H ?P ? ?0???@??޽h?? ?? ??????????f????????? ? ????t?0?( ? ?t?x ?t c ?$?,?1????x8????  1 ? ??x ?t c ?$?Խ1????Sg??? 1 ? ??H ?t ? ?0???@??޽h?? ?? ??????????f????????? ? ????d?0?( ? ?d?x ?d c ?$??T????x8????  T ? ??x ?d c ?$??.T????Sg??? T ? ??H ?d ? ?0???@??޽h?? ?? ??????????f????????? ? ???????$?( ? ???r ?? S ??X7T???x8????  T ? ??r ?? S ???T???Sg??? T ? ??H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? ????`?0?( ? ?`?x ?` c ?$??@T????x8????  T ? ??x ?` c ?$?TAT????Sg??? T ? ??H ?` ? ?0???@??޽h?? ?? ??????????f????????? ? ???????( ? ???r ?? S ???GT???x8????  T ? ??~ ?? s ?*??HT???? ?H? C ?? T ? ??~ ?? s ?*?XIT???? ?SY ??? T ? ??[ ?? ? ?T??*T?a????a????????? ??? ? ? ????mX.509 PKC Fields Private Extensions Authority Information Access Subject Information Access Custom Extensions?N88?H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? ??????$?( ? ???r ?? S ???WT???x8????  T ? ??r ?? S ?? XT???Sg??? T ? ??H ?? ? ?0???@??޽h?? ?? ??????????f???????v? ? &? ????( ? ???r ?? S ???}T???x8????  T ? ??~ ?? s ?*?~T???? ?Sg? ?? T ? ??~ ?? s ?*??~T???? ?SY ??? T ? ??H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? 8?00?????( ? ???x ?? c ?$??RT????x8????  T ? ??? ?? ? ?0??T???? ??Sg? ?? T ? ??? ?? ? ?0???T???? ??SY ??? T ? ??H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? ??@?p?0?( ? ?p?x ?p c ?$?ܑT????x8????  T ? ??x ?p c ?$???T????Sg??? T ? ??H ?p ? ?0???@??޽h?? ?? ??????????f????????? ? ??`?T?0?( ? ?T?x ?T c ?$?(?T????x8????  T ? ??x ?T c ?$???T????Sg??? T ? ??H ?T ? ?0???@??޽h?? ?? ??????????f????????? ? ??p?l?0?( ? ?l?x ?l c ?$?p#T????x8????  T ? ??x ?l c ?$?$T????Sg??? T ? ??H ?l ? ?0???@??޽h?? ?? ??????????f????????? 0 ???P??? ?( ????? ???X ?? C ?????B?L ??  1?? ?? S ??D?1???? V???  1 ?"?? ?H ?? ? ?0???޽h?9??? ?? ??????̙33???????r?`J?P?2 C?Q ?xB[TG7Zi#\l?Xn ^?tq ?r`t0?v?e?ax`SV?c?m&p?g?k??vz}???????Oh??+'??08 px??? ? ( 4 @ LX`?? HTTP и CGI TP=D:\msoffice\Templates\Presentation Designs\International.potfYuri Demchenkop301Microsoft PowerPoint 7.0sen@`+TZ@??G?}Y?@`??X7?@?{|ž ??G??????y  _3&?????? &????&#????TNPP(?2??OMi & TNPP? &????&TNPP   ?? ????-?-- !???-????-??-????--- !?T?F--?-&????u??&????-?-????- $u?u?~~????-? $~?~???????-? $???????>>?-? $????????-? $??????-?--&????&????--BPM:--???w???w@+ [???w???w ??w0- ????@Times New Roman???w???w ??w0-? .2 ?Donkey Project* $.????@Times New Roman???w???w ??w0-? .32 ?Introduction and ideas around    .--O Gl-- ????@Times New Roman???w???w ??w0-? .!2 ?4February 21, 2003  .????@Times New Roman???w???w ??w0-? .(2 ??Yuri Demchenko .--??"System !??????w-?&TNPP &????????՜.??+,??0,?????? ? ?? ????  ??A4 Paper (210x297 mm)e*{?2 Times New RomanSymbolMonotype SortsArial Unicode MSInternational.Donkey Project Introduction and ideas around Outlines (Problems in PKI and Identity ManagementDonkey and DNSSECDonkey Goal(s)%What is Donkey: Donkey functionality!Design issues: Package structureDesign considerations-Existing OpenSource solutions for AA and PMI"Standards for security assertionsPKC vs AC: Purposes6X.509 PKC Fields and Extensions ? check with RFC 3280X.509 PKC Extensions format"AC vs PKC: Certificates structure%AC Attribute Types and AC ExtensionsDonkey Project milestonesDonkey current statusSome specific next tasks  Fonts UsedDesign Template Slide Titles?&_???{??Yuri DemchenkoYuri Demchenko  !"#$%&'()*+,-./0123456789:;<=?????@ABCDE????GHIJKLM????OPQRSTU????????X????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????Root Entry??????????d?O?????)?????Current User????????????NSummaryInformation(????????>PowerPoint Document(????*{DocumentSummaryInformation8????????????F????????????????????????????????????