Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The purpose of this page is to collect information on how the OpenNCP project should take into account the PKI used in epSOS. This includes integration or interaction of protocol terminators with TSLSync, management of certificates used for establishing VPN connections, and other certificate-management procedures such as handling expired or revoked certificates.

General PKI

...

model description

The main documents defining the selected PKI model are D3.7.2 Section II and D3.4.2 v. 2.2.

...

How to propagate CRL-based certificate revocation to ipsec/VPN tunnels?

A proposal/discussion startpoint

It can be discussed whether the following changes could be applied to the current PKI model implementation. The proposal places trust in root/intermediary CA certificates. It has the goal of more precise control over the local truststores, at the same making it easier to handle the updates of the certificates.

  • Truststores should only include CA certificates.
  • TSLSync may fetch signature, tls and vpn certificates from NSL lists in central services and check them, but should not place them in the truststore.
  • TSLSync should fetch endpoint addresses from NSL lists in central services and use them for NCP configuration by placing them in the epsos.properties file.
  • TSLSync may have an option of fetching the root and intermediate CA certificates from central services, but normally they are managed locally by NCPs.
  • CRLs published by the root and intermediate CAs are kept by NCPs up-to-date and all used certificates are checked against them.
  • VPN configuration of the NCP is done using the root and intermediate CA certificates.
  • For HTTPS communication, in TLS handshake certificates presented by the parties are checked by verifying the chain up to the trusted root CA certificate.
  • In signature verification (assertions or NCP signatures) the signature certificate is checked by verifying the chain up to the trusted root CA certificate.
  • NCP certificates are created according to the rules listed in D3.4.2 v. 2.2. The VPN client certificate is not mandatory.
  • NSL lists are created according to the rules listed in D3.4.2 v. 2.2.