[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

A day in the life of ephemeral certificates


I've been doing more thinking about realistic scenarios for the use of ephemeral

I log in to my workstation in the morning:

  1) I pick a key-pair from a pool that my workstation has generated for
     me overnight.

  2) I unlock the private key of my identity-based (long-term) certificate

  3) Using that certificate, I:

     Obtain Kerberos Ticket Granting Tickets from each of the KDCs
     that I normally need TGTs from

     Obtain ephemeral privilege granting certficates from each of
     the PGAs (Privilege Granting Authorities) that I normally need
     to acquire privilege from.  Those ephemeral certificates mention
     the public key from the key-pair I had selected earlier.

  4) I use services that require the use of either Kerberos tickets or
     these fancy ephemeral certificate things.

     I can envision using one of these PGCs (Privilege Granting Certificates)
     to establish, as required, a "security association" with host systems
     that I normally interact with.  Once I have one of these SAs, I don't
     need to use the PGC with the target host again until my SA expires.
     The target host would naturally cache my "privilege vectors" when
     it creates an SA.  You don't get non-repudiation for transactions
     protected by such an SA, but often you don't need that. Indeed, in
     the day-to-day network-login, network-copy, network-this-and-that
     scenario, you care only that your messages are protected, and that
     the target host has some confidence in the privileges associated with
     those messages.  I can envision "unix-login-id" being one of the
     "privileges" (capabilities?) that might be associated with a PGC.

     In a large corporation, there would likely be many PGAs, with
     a given identity having, for example, different "unix-login-id"
     capabilities in different domains (from different PGAs).

Version: 2.6.2


Marcus Leech                   Mail: Dept 4C16, MS 238, CAR
Systems Security Architect     Phone   : (ESN) 395-4901  (613) 763-9145
Systems Security Services      Fax     : (ESN) 393-7679  (613) 763-7679
Nortel Technologies            mleech@bnr.ca
-----------------Expressed opinions are my own, not my employers------