eID validations services

1
eID validations services

• Houcine Bel Mamoune
• Unit manager
• eID Technical Drill down Session
• 7 April 2005

2
eID validations services

• Introduction
• eID CA profile and hierarchy
• eID Repository
• eID LDAP
• eID CRL/delta CRL
• eID OCSP
• QA

3
Introduction
4
eID CA profile and hierarchy

• Belgium Root CA off line
• CA Tree structure
• Relying party trusts the Belgium Root CA key
• Belgium Root CA issues Citizen CA certificates
• Relying party verifies certificate along a
  certificate path leading to the root.

Citizen CA
Belgium Root CA
Chain of Trust
Citizen CA
Citizen CA
Auth. Citizen cert.
Sign. Citizen cert.
5
eID CA profile and hierarchy

• Certificate Serial Number (unique)
• Unique name identifying certificate owner
• Certificate usage (Sign./Auth.)
• Validity period (5 year)
• Public key
• Issuer name signature
• Technical information
• Version (3)
• Signature algorithm
• Authority info access

Certificate Serial Number 3214
Subject Serial Number 12345678901 G John
Fitzgerald SN Doe CN John Doe (Signature) C
BE
Public key
Validity 1/07/2003 100300
1/07/2008 100300
Issuer CA-Name
Signature CA Digital signature
6
eID CA profile and hierarchy

• Authentication Certificate

Signature Certificate
7
eID CA profile and hierarchy

• Citizen CA CRL distribution point

Citizen CA Authority Key identifier
8
eID CA profile and hierarchy

• Citizen Certificates Authority Information access

Citizen Certificates CDP
9
eID repository

• eID CSP repository links
• http//repository.eid.belgium.be is the eID CSP
  web site
• http//crl.eid.belgium.be
• http//certs.eid.belgium.be
• http//status.eid.belgium.be
• Certificate Status Web Service provide real time
  certificate status
• Certificate Revocation List (CRL) Lookup Service
• http//ocsp.eid.belgium.be
• ldap.eid.belgium.be port 389
• The new eID government web site
• http//eid.belgium.be
• With link to Fedict and RRN web sites
• Certipost eID web shop
• http//www.eid-shop.be

10
eID repository
11
eID LDAP

• eID LDAP is the CA public directory
• Accessible by using LDAP v2 on the host
  ldap.eid.belgium.be port 389 base dceid,
  dcbelgium, dcbe

12
eID CRL/ ?CRL

• Used to validate certificates
• Include information such
• Issuer of the CRL
• Type of signature applied on the CRL
• Date and Time when the CRL is issued
• Date and Time of the next CRL update
• List of revoked certificates (Serial Number,
  Revocation date)

13
eID CRL/ ?CRL

• Certificate revocation list profile

14
eID CRL/ ?CRL

• Certificate revocation list profile

15
eID CRL/ ?CRL

• Delta CRL profile

16
eID CRL/ ?CRL

• CRL/Delta CRL process

17
eID CRL/ ?CRL

• Current CRL size for the Citizen CA 2004 is about
  3,04 MB
• Estimated entry per future CRL/ ?CRL size is
  about 38 bytes / entry
• CRL size for 16 000 000 citizen certificates 580
  MB
• Needs CRL splitting schema by generating several
  Citizen CAs
• Each CA will issue its own CRL and ?CRL
• ? size issue !
• 3 options to mitigate it
• Use ?CRL
• Generate several CA certificates
• Use OCSP

18
eID OCSP

• The OCSP is OCSP V1 compliant (RFC2560).
• Suspended certificates will be marked as revoked
  since the Suspended status is currently not
  supported by OCSP.

19
eID OCSP
Belgium Root CA

• Provide real-time status information
• Decrease risk of using revoked certificates
• Return status good, revoked or unknown
• Use of OCSP URL from certificate to gain access
  to the responder

CA DB
Citizen CA
CRL
?CRL
Web status
OCSP responder
OCSP Request Cert 123
Cert 123 Alice
OCSP Client
Applications or relying party
20
OCSP versus CRL/?CRL
Online Certificate Status Protocol
(Offline) Certificate Revocation List
Your application
Back-office
Citizen
Citizen
21
OCSP versus CRL/?CRL
22
OCSP versus CRL/?CRL

• E.g. eID OCSP validations services could be used
  daily in conjonction with CRL/ ?CRL as back up
• Choice between OCSP and CRL/ ?CRL is depending on
  your business, on your risk assessment,
• ? Most probably a balance between the 2 protocols

23
Thank You !