230 likes | 473 Views
eID validations services. Houcine Bel Mamoune Unit manager eID Technical Drill down Session for Financial Services - 15/12/2004. eID validations services. Introduction eID CA profile and hierarchy eID Repository eID LDAP eID CRL/delta CRL eID OCSP Q&A .
E N D
eID validations services Houcine Bel Mamoune Unit manager eID Technical Drill down Session for Financial Services - 15/12/2004
eID validations services • Introduction • eID CA profile and hierarchy • eID Repository • eID LDAP • eID CRL/delta CRL • eID OCSP • Q&A
eID Certificate Authority Citizen PUK & PIN Belgian National Register eID Card Manufacturer Belgian municipalities Introduction
eID CA profile and hierarchy • Belgium Root CA off line • CA Tree structure • Relying party trusts the Belgium Root CA key • Belgium Root CA issues Citizen CA certificates • Relying party verifies certificate along a certificate path leading to the root. Citizen CA Belgium Root CA Chain of Trust Citizen CA Citizen CA Auth. Citizen cert. Sign. Citizen cert.
eID CA profile and hierarchy • Certificate Serial Number (unique) • Unique name identifying certificate owner • Certificate usage (Sign./Auth.) • Validity period (5 year) • Public key • Issuer name & signature • Technical information • Version (3) • Signature algorithm • Authority info access • … Certificate Serial Number: 3214 Subject: Serial Number = 12345678901 G = John Fitzgerald SN = Doe CN = John Doe (Signature) C = BE Public key: Validity: 1/07/2003 10:03:00 1/07/2008 10:03:00 Issuer: CA-Name Signature: CA Digital signature
Authentication Certificate eID CA profile and hierarchy Signature Certificate
Citizen CA CRL distribution point eID CA profile and hierarchy Citizen CA Authority Key identifier
Citizen Certificates Authority Information access eID CA profile and hierarchy Citizen Certificates CDP
eID repository • eID CSP repository links: • http://repository.eid.belgium.be is the eID CSP web site • http://crl.eid.belgium.be • http://certs.eid.belgium.be • http://status.eid.belgium.be • Certificate Status Web Service: provide real time certificate status • Certificate Revocation List (CRL) Lookup Service • http://ocsp.eid.belgium.be • ldap.eid.belgium.be port 389 • The new eID government web site: • http://eid.belgium.be • With link to Fedict and RRN web sites • Certipost eID web shop • http://www.eid-shop.be
eID LDAP • eID LDAP is the CA public directory: • Accessible by using LDAP v2 on the host ldap.eid.belgium.be port 389 base dc=eid, dc=belgium, dc=be
eID CRL/ ΔCRL • Used to validate certificates • Include information such • Issuer of the CRL • Type of signature applied on the CRL • Date and Time when the CRL is issued • Date and Time of the next CRL update • List of revoked certificates (Serial Number, Revocation date)
eID CRL/ ΔCRL • Certificate revocation list profile
eID CRL/ ΔCRL • Certificate revocation list profile
eID CRL/ ΔCRL • Delta CRL profile
CRL/Delta CRL process eID CRL/ ΔCRL
eID CRL/ ΔCRL • Current CRL size for the Citizen CA 2004 is about 3,04 MB • Estimated entry per future CRL/ ΔCRL size is about 38 bytes / entry • CRL size for 16 000 000 citizen certificates: 580 MB • Needs CRL splitting schema by generating several Citizen CA’s • Each CA will issue its own CRL and ΔCRL • size issue ! • 3 options to mitigate it: • Use ΔCRL • Generate several CA certificates • Use OCSP
eID OCSP • The OCSP is OCSP V1 compliant (RFC2560). • Suspended certificates will be marked as revoked since the “Suspended” status is currently not supported by OCSP.
eID OCSP Belgium Root CA • Provide real-time status information • Decrease risk of using revoked certificates • Return status good, revoked or unknown • Use of OCSP URL from certificate to gain access to the responder CA DB Citizen CA CRL ΔCRL Web status OCSP responder OCSP Request: Cert #123 Cert #123 Alice OCSP Client Applications or relying party
eID Validation Services OCSP versus CRL/ΔCRL Online Certificate Status Protocol (Offline) Certificate Revocation List Citizen Your application Back-office Citizen
OCSP CRL/Delta CRL Access method Online: ·Transaction based relying on the OCSP server availability ·About no delays between requests and answers ·Gets the effective and current certificates status ·Requesting service must be able to perform an online OCSP request Offline: ·Download of the last CRL/DeltaCRL before any validation ·Local transaction ·Not synchronised with the online status; maximum of 3 hours of delay if each DeltaCRL is fetched Access protocol HTTP HTTP(s)/LDAP Local storage needed NO Very limited as transaction based YES Need to download and store locally at least the last CRL/DeltaCRL; It is disk storage consuming; Internet bandwidth LOW As transaction based HIGH It will require a high bandwidth for downloading CRL’s. As every eID citizen’s certificate is first suspended before being optionally activated large CRL file Signed answer YES Answers are signed by the OSCP responder private key YES CRL and Delta CRL are signed by the issuing CA private key OCSP versus CRL/ΔCRL
OCSP versus CRL/ΔCRL • E.g. eID OCSP validations services could be used daily in conjonction with CRL/ ΔCRL as back up • Choice between OCSP and CRL/ ΔCRL is depending on your business, on your risk assessment, … Most probably a balance between the 2 protocols