Seguran

1
An idea for Instantaneous Secure Enrollment
Marco Kiko Carnut ltkiko_at_tempest.com.brgt 4th
PKI RD Workshop WIP session NIST, Apr/2005
2
The Clients CA

• Clients CA
• Private key generated on demand by the main CA
• But its not released until after the users
  identity is cheched
• Restricted to issuing one cert only (clients
  should verify this)

Root CA
Main CA
Kiko CA
Kiko Client

• The client app must consider my client cert as
  trusted even if its chain isincomplete.
• Many dont but... well, Kapanga does
• Server web sites accept such incomplete/invalid
  certs by grant them onlyguest-level access
• Most apps will consider their digital sigs
  invalid at this point, just as we want

3
Authorization

• After the CA properly identifies the user
  according to its policies, we release the
  Clients CA on a key server
• The client and everyone else fetches it
• Client must enforce extra restrictions for the
  single cert principle
• Ive been using
• Kikos CA DN Kikos Client DN
• Kikos CA Serial Kikos Client Serial
• Kikos CA is a CA (basicConstraintsCATRUE)
• Kikos Client is a Client (basicConstraintsCAFAL
  SE)
• Now people will be able to trust my cert
• Performance kinda bad, because the CA must
  generate a new key
• Revocation we can have a small, single-serial
  CRL
• No large CRLs anymore

4
Thank you! Questions?
Real Protection against Real Digital Threats
kiko_at_tempest.com.br