43 %
57 %
Information about TP2

Published on December 19, 2007

Author: Jacob


The Truth Behind PKI and Friends:  The Truth Behind PKI and Friends Radia Perlman Distinguished Engineer, Sun Labs Strategies for PKI Hierarchies:  Strategies for PKI Hierarchies Monopoly Oligarchy Anarchy Bottom-up Monopoly:  Monopoly Choose one universally trusted organization Embed their public key in everything Give them universal monopoly to issue certificates Make everyone get certificates from them Simple to understand and implement What’s wrong with this model?:  What’s wrong with this model? Monopoly pricing Getting certificate from remote organization will be insecure or expensive (or both) That key can never be changed Security of the world depends on honesty and competence of that one organization, forever Oligarchy of CAs:  Oligarchy of CAs Come configured with 80 or so trusted CA public keys (in form of “self-signed” certificates!) Usually, can add or delete from that set Eliminates monopoly pricing What’s wrong with oligarchy?:  What’s wrong with oligarchy? Less secure! security depends on ALL configured keys naïve users can be tricked into using platform with bogus keys, or adding bogus ones (easier to do this than install malicious software) impractical for anyone to check trust anchors Although not monopoly, still favor certain organizations. Why should these be trusted? Anarchy:  Anarchy Anyone signs certificate for anyone else Like configured+delegated, but user consciously configures starting keys Problems won’t scale (too many certs, computationally too difficult to find path) no practical way to tell if path should be trusted too much work and too many decisions for user Important idea:  Important idea CA trust shouldn’t be binary: “is this CA trusted?” Instead, a CA should only be trusted for certain certificates Name-based seems to make sense (and I haven’t seen anything else that does) Top Down with Name-based policies:  Top Down with Name-based policies Assumes hierarchical names Each CA only trusted for the part of the namespace rooted at its name Easy to find appropriate chain This is a sensible policy that users don’t have to think about But: Still monopoly at top, since everyone needs to be configured with that key Bottom-Up Model:  Bottom-Up Model Each arc in name tree has parent certificate (up) and child certificate (down) Name space has CA for each node Cross Links to connect Intranets, or to increase security Start with your public key, navigate up, cross, and down Intranet:  Intranet Extranets: Crosslinks:  Extranets: Crosslinks Extranets: Adding Roots:  Extranets: Adding Roots root Cross-link for added security:  Cross-link for added security root Advantages of Bottom-Up:  Advantages of Bottom-Up For intranet, no need for outside organization Security within your organization is controlled by your organization No single compromised key requires massive reconfiguration Easy configuration: public key you start with is your own Now some buzzwords:  Now some buzzwords Now some buzzwords:  Now some buzzwords Roles, Groups, Identities, RBAC Definitions I'd like:  Definitions I'd like An identity...preferably a single thing, but a person can have multiple identities (holder of credit card, employee) Group...not a single thing “Radia's group”, but rather millions of groups “over-18, Sun employee, Radia's friends” Role...kind of like a group, but... Roles vs Groups:  Roles vs Groups Groups---you always have all privileges associated with all the groups you are in Roles---they might be mutually exclusive, and you might have to separately authenticate Roles vs Identities:  Roles vs Identities If you have to authenticate to be a role, why isn't it an identity? For auditing purposes, you probably want to know which identity is acting in that role

Add a comment

Related presentations

Related pages

Institut für Theoretische Physik II - Hadronen- und ... Adresse. Institut für Theoretische Physik II Fakultät für Physik und Astronomie Ruhr-Universität Bochum 44780 Bochum
Read more

TP2 Talentpool

TP2 und die Macher. TP2 Talentpool fördert mitteldeutsche Nachwuchs-Talente in den Bereichen Drehbuch, Regie und Produktion für Spiel- und Dokumentarfilme.
Read more

Lehre -

Ruhr-Universität Bochum, sechstgrößte Universität in Deutschland ... Klassische Theoretische Physik I: Termine: Mo, 8-10, HZO70 Mi, 8-10, HZO70: 4st.
Read more

TP2 | ZEISS 3D Automation

TP2 - Der TP2-5W Messkopf hat einen Durchmesser von 13mm und ein M8 Anschlussgewinde für Messkopfverlängerungen. Taststifte mit M2 Gewinde können direkt ...
Read more

R-Kelly - TP2 - YouTube

R-Kelly - TP2 Comment, Rate & subscribe! ... This feature is not available right now. Please try again later.
Read more

Schneckenpumpen | Produkte - PMFS GmbH

TP2. Die kleine und robuste, elektrisch angetriebene, Mörtelpumpe TP2. Der Elektroantrieb mit stufenloser Pumpmengenverstellung macht die kleine TP2 zur ...
Read more


TP2-Mitarbeiter, Juli 2016. Lehrstuhlinhaber: Prof. Dr. Ansgar Denner. Sekretariat: Brigitte Wehner. Emil-Hilb-Weg 22. Lehrstuhl für Theoretische Physik II
Read more

HENRI LLOYD Official Store | Spring Collections Now Live

Discover heritage brand Henri Lloyd. Browse and shop SS16 collections for luxury lifestyle pieces for both men and women alongside our technical sailing gear.
Read more

YachtNetwork » Händlerliste

Händlerliste Fachhändler in Ihrer Nähe. Um den Fachhändler in Ihrer Nähe zu finden klicken Sie bitte auf den folgenden Link: Händlerliste.
Read more

MyP2P | | Free Live Sports on your PC, Live ...

Myp2p brings you many live football matches and sports, The Barclays English Premier League online streaming. Myp2p is the best and most complete football ...
Read more