pki

Email PKI | Feide RnD @import "/modules/cck/content.css"; @import "/modules/node/node.css"; @import "/modules/system/defaults.css"; @import "/modules/system/system.css"; @import "/modules/user/user.css"; @import "/modules/cck/fieldgroup.css"; @import "/modules/comment/comment.css"; @import "/themes/feide/style.css"; @import "/files/color/feide-fcb1a577/style.css"; @import "/themes/feide/print.css"; @import "/themes/feide/fix-ie.css"; Navigation Software Federated software Attributes eduroam Federations Mailing lists Documents Slides Federated login Feide RnD My account Contact feide.no Home Email PKI 23 July, 2007 - 23:00 вЂ” andreas@uninett.no Abstract Describes an idea of how to integrate Feide or other federated systems with email PKI. How can you use Feide to solve the key distribution problem of web of trust (PGP). Download documentDownload document in PDF formatEmail PKI and federated identity managementAndreas Г…kre SolbergTue Jul 24 09:32:36 2007Table of ContentsIntroductionThe Trusted Introducer ServiceAbout the ideaIntroductionEvery day people send sensitive information in unencrypted e-mail, and they make important decisions based on information received in unsigned e-mail, frequently sent unencrypted through open wireless networks, SMTP proxies, the SMTP server of a home DSL company, or through a hotel network. Unencrypted e-mails are stored on a company IMAP server and at laptop hard drives. Sensitive information may be e.g. personal secrets, business secrets, passwords, and personal health data. There are mainly two technologies available for e-mail encryption and digital signatures: PGP (Pretty Good Privacy) and S/MIME. In this document we will look at PGP. Common to all PKI systems is that they require an initial trust relationship between participating entities. Before person A can send an encrypted e-mail to person B, A must possess BвЂ™s public key, and must have validated BвЂ™s ownership of the key through an external channel. Initial trust may be established by personal contact, where person A and B meet to exchange key fingerprints (hashed values) of their public keys. This method scales poorly to establish trust between a group of people: A group of ten people communicating through a mailing-list will require 9! (362 880) key signature exchanges to establish a mesh of trust. To ease this process PGP offers the functionality of trusted introducers: If A trusts B as an introducer, and B trusts C, then a trust relationship is dynamically created between A and C.The Trusted Introducer ServiceTrusted introducers are not necessarily persons; they can be any entity with a key pair. As we will see, this allows us to exploit established AAIs (Authentication and Authorization Infrastructures), in the world of e-mail cryptography.Many European countries are now deploying AA infrastructures for educational users and services. AAIs are trust networks, with local authorities responsible for authenticating local users. These authorities are often called Asserting Parties or Identity Providers. Initially, AAIs were deployed on a per-country basis and limited to the educational community. Currently, efforts are made to inter-connect the national AAIs to a European confederation, in a GГ‰ANT2 project called eduGAIN. We also see examples of national federations considering connections to commercial services and Identity Providers. With a European-wide federation, the same trusted introducer can be used for all users in the participating countries. AAI commonly support Web Single Sign-On. Hence a web-based Introducer service is preferred, to act as a trusted introducer for e-mail cryptography.A PGP public key contains a user ID string, which should include the full name of the user and the users e-mail address. The Introducer must validate the name and e-mail address in the user ID field to establish the trust between a person and a PGP public key. So, the Introducer will obtain the name and e-mail address of the user from the Identity Provider. After ensuring the relationship between the user and the public key, the Introducer uses its own private key to sign the userвЂ™s public key, and then publishes the signature to a keyserver. All users that have added the Introducer as a trusted introducer, and are configured to retrieve keys and signatures from the given keyserver, will automatically establish trust with all users of the service. FigureВ 1.В Architecture of the Introducer ServiceBelow follows a typical scenario where a user make use of the Introducer service. In the scenario the user is assumed to already have a PGP key pair.The user downloads the IntroducerвЂ™s public key and configures the key as a trusted introducer in the PGP key store.The Introducer initiates a web Single Sign-On procedure with the userвЂ™s Identity Provider. The user enters her credentials. If authentication is successful, the Identity Provider delivers to the Introducer an authentication assertion and the required attributes: full name and e-mail address.The Introducer asks the user to paste an ASCII encoded version of her public key in an input field, or alternatively upload the public key binary version.The Introducer compares the user ID string with the full name and e-mail address obtained from the Identity Provider. If they match, the service may proceed.This step is optional but recommended: As an extra verification, the Introducer sends a verification URL in an encrypted e-mail to the user. This ensures that the user is actually holding the private key corresponding to the particular public key and has access to the particular e-mail account. After the user clicks the verification URL in the encrypted e-mail, the Introducer proceeds to the next step.The Introducer signs the public key with its own private key. Next, it uploads the signature to a publicly accessible keyserver. The Introducer may provide keyserver functionality itself, or use an arbitrary keyserver accessible to all relevant users. The Introducer may even upload the signature to multiple keyservers.To establish a full mesh of trust between users in a group, each user goes through the above steps once. When a user receives an e-mail from a previously unknown sender, PGP can be configured to ask the keyserver for a key matching the e-mail address of the sender. It will then also retrieve the IntroducerвЂ™s signature, and hence it will dynamically establish the trust relationship to the sender of the e-mail.The service outlined above is described in the context of e-mail cryptography, but the method is generic and can be used for most situations where users and PGP are included. Even though the method is specific to PGP, the concept can be re-used in other PKI solutions. In example a certificate authority may use the AAI to authenticate users before issuing S/MIME certificates.About the ideaThis document was submitted to TNC 2007 approval December 2006. The document was later published on the Feide RnD blog July 2007. Feide has not yet implemented any proof of concept service. If you have thoughs, comments or plans for implementation, please contact the author. Email PKI SAML 2.0 Login to post comments 2007-2008 © UNINETT разделы тонировка стекол эмжс аденома предстательный железа lida очки ночной видение эдас-134 аденома предст.ж-зы пп-пленка эмжс ppg краска промальп схема зал вахтангова 5440.15 (крышка) купить nokia 9300i покраска рчв snr слимент лифт поглощение радиоволна конвейер охота зверь inerta краска пвс время кострома герб область управление иваново комплексный сайт купить букмекерский линия билет russia music awards рассылка база данный купить автотехнику peg perego venezia схема зал вахтангова флеш презентация купить элеваторный узел доставка суша съемный зубной протез фейрверк вечеринка покраска аэротенк отбеливание белье рак пищевод корпаративные праздник mobilux фотопечать диспетчеризация тонировка стекол архитектурный визуализация витрина подогреваемый купить айсбест анимация 3d график персонализация карта этнический психология концентрирование кислорода договор суррогатный мать колодец канализационный пластиковый рак простата красный площадь собор зубной протез сервис холодильник архыз тренировка память тренировка память эрозия шейка матка sharp ar-m205 обрезание поливомоечная машина ивановец вскрытие авто винный холодильник iridium motorola дмитрий шумок проект электропроводка избавиться спам краска двухкомпонентный масло форма доставка ноутбук акриловый вставка вкладыш меховой холодильник pki