1 / 13

SCVP 16

SCVP 16. Trevor Freeman Russ Housley Ambarish Malpani. What's Different From 15. 7 areas changed 5 new features Numerous editorial changes. Changes. Validation policy ref & validation alg clarifications Single policy per request clean up userPolicySet keyUsage & keyUsages

apria
Download Presentation

SCVP 16

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SCVP 16 Trevor Freeman Russ Housley Ambarish Malpani

  2. What's Different From 15 • 7 areas changed • 5 new features • Numerous editorial changes

  3. Changes • Validation policy ref & validation alg clarifications • Single policy per request clean up • userPolicySet • keyUsage & keyUsages • ResponseFlags • Request-response version clarifications • Signed & unsigned errors • Validation Policy ByRef clean-up

  4. Changes • Validation policy vs. Validation alg • Policy defines parameters, algorithm defines how parameters compared • New algorithms can extend set of parameters • Policy can define full or partial set of parameters • Client can specify value if absent from policy • If absent from policy and request, server uses published default value

  5. Changes • Single policy per request, multiple certificates per request • Correctly position errors • userPolicySet moved to validation policy • keyUsages is now set of keyUsage to allow definition multiple possible masks • ResponseFlags is collection of flags which control the server response options

  6. Changes • Request-response clarifications for forward compatibility • Server responds with same version of SCVP as request or an error • Signed & unsigned errors • Server returns signed weeres in many cases to mitigate attacks

  7. Changes • Validation policy ByRef clean up • Clean up of validation policy definition for use when client requests validation policy ByRef

  8. New • Integrity for anonymous requests • Granular validations errors in response • Basic validation alg errors • Full support for CA cert validation • DN option for name validation alg • Name validation support mandatory on server • SCVP validation policy nonce • Validation policy supports max supported version number

  9. New • Integrity for anonymous request-response pair for use without TLS • Server publishes DH public keys in validation policy • Client generates DH key with same parameters & • Client sends authenticatedData using DH shared secret for HMAC with client public value in request • Server uses client DH public for authenticatedData response

  10. New • Granular validation errors in response • Error response returns set of validation error OIDs • Basic validation algorithm now has errors defined as OIDs • Can return basic validation errors as well as validation alg specific errors

  11. New • Full support for CA cert validation • Returns policy set, included & excluded name sets • Enables hybrid DPD, DPV client with simplified validation for EE certificates only • DN name matching option for Name Validation Algorithm

  12. New • Validation Policy request support optional nonce • Server returns either cached response without nonce or non-cached response with nonce • Validation Policy publishes max supported SCVP request version number.

  13. SCVP 17 • Editorial clarification and corrections only • Please submit all comments to me or to list by end of November • No outstanding issues • No new features planed • Please wait for SCVP v2 if you want more

More Related