Re: PKI and Relying Parties

From: Anne & Lynn Wheeler (lynn@garlic.com)
Date: 03/28/02


From: Anne & Lynn Wheeler <lynn@garlic.com>
Date: Thu, 28 Mar 2002 13:34:10 GMT

Harold Hammond <HammondITS@netscape.net> writes:

> This isn't about access control or about the reliability of a PKI. The simple
> question is how can one get access to up-to-date CRLs without becoming a CA.
>
> I want to be able to check Certificate Revocation Lists for digital certificates
> being presented at my website. I do not want to be a CA. I do not want anyone
> to be a CA on my behalf.

another way of doing it is use an enhanced RADIUS with your website
that supports digital signature in place of password or
challenge/response (aka the webserver authentication hook implements
radius ... and then radius specifies password, challenge/response or
digital signature on an account by account basis).

RADIUS repository supplies both the authentication material
(registering password, public key, etc) and the current/accrurate
authorization information.

There is some claim that CRLs are the equivalent of the 1960s revoked
account lists distributed in monthly paper booklets in the credit card
industry. This was an offline technology implementation. Offline
technology approaches (like CRLs) became obsolete when moving from an
offline paradigm to an online paradigm starting sometime in the '70s.

You don't become a CA or support CRLs ... you just have registeration
of those that you accept and their authentication material (whether
password, digital signature, challenge/response, etc).

misc. RADIUS related discussions
http://www.garlic.com/~lynn/subtopic.html#radius

for addition radius references go to
http://www.garlic.com/~lynn/rfcietff.htm

and click on "Term (term->RFC#)"

in the "Acronym Fastpath" section, click on "RADIUS"

i.e.

remote authentication dial in user service (RADIUS )
      see also authentication , network access server , network services
      3162 2882 2869 2868 2867 2866 2865 2809 2621 2620 2619 2618 2548
      2139 2138 2059 2058

clicking on any RFC nuumber will give you a summary of that RFC.
Clicking on the "(.txt=nnnnn)" field (in a RFC summary) will retrieve the
actual RFC.

also of possible interest are the RFCs of the AAA working group:
Authentication, Authorization and Accounting
      see also accounting , authentication , authorization
      3127 2989 2977 2906 2905 2904 2903

-- 
Anne & Lynn Wheeler   | lynn@garlic.com, http://www.garlic.com/~lynn/



Relevant Pages

  • Re: Effective micropayments
    ... > Bob, but she's not connected directly to Bob. ... thing called radius (I confess to long ago and far away being involved ... radius evolved into an ietf standard for authentication. ... clicking on the rfc number brings up the rfc summary in the lower ...
    (sci.crypt)
  • Re: how password is stored and check the authentication??
    ... that provides authentication, authorization, and accounting ... was actually involved in configuring radius for real livingston box ... clicking on the rfc number brings up the rfc summary in the ... besides ISPs using radius for login, email authentication, newsgroup ...
    (sci.crypt)
  • Re: PKI and Relying Parties
    ... > question is how can one get access to up-to-date CRLs without becoming a CA. ... another way of doing it is use an enhanced RADIUS with your website ... RADIUS repository supplies both the authentication material ... clicking on any RFC nuumber will give you a summary of that RFC. ...
    (comp.security.ssh)
  • Re: Difference between AAA and Radius?
    ... I know what a Radius ... see also authentication, network access server, network services ... Authentication, Authorization and Accounting ... Clicking on the various RFC numbers will bring up a summary of each ...
    (comp.security.misc)
  • Cisco Security Advisory: RADIUS Authentication Bypass
    ... Cisco Security Advisory: RADIUS Authentication Bypass ... Cisco has made free software available to address this vulnerability. ...
    (Bugtraq)