第3 章電子認証技術に関する国際動向

Size: px

Start display at page:

Download "第3 章電子認証技術に関する国際動向"

かつかげまつかた
4 years ago
Views:

1 3 IETF PKI TAM Trust Anchor Management

2 3. IETF Internet Engineering Task Force PKIX WG 3.1. IETF PKIX WG PKI Public-Key Infrastructure IETF PKIX WG IETF 70 IETF WG PKIX WG IETF PKIX WG PKIX WG ITU-T X.509 WG Working Group - PKIX WG IETF PKIX WG

3 Public-Key Public-Key Infrastructure Infrastructure (X.509) (X.509) WG WG 69 IETF 69 IETF Public-Key Public-Key Infrastructure Infrastructure (X.509) (X.509) WG WG 2007/7/26 15:10-16: /7/26 15:10-16:10 70 Agenda Agenda Document Status Overview Document Status Overview WG documents WG documents SCVP SCVP Subject Public Key info for ECC keys Subject Public Key info for ECC keys Related specifications and Liaison Related specifications and Liaison WebDav for certificate publication and revocation WebDav for certificate publication and revocation SCEP SCEP PRQP PRQP (Syntax for binding documents with time-stamps) (Syntax for binding documents with time-stamps) Framework on key compromise Framework on key compromise Three short fixes Three short fixes 3-1 Public-Key Infrastructure (X.509) WG 69 IETF IETF 76

4 69 IETF PKIX PKIX WG WG RFC RFC Editor RFC RFC Editor Lightweight OCSP (Proposed Standard) Lightweight OCSP (Proposed Standard) Service Name SAN(Subject Alt Name) Service Name SAN(Subject Alt Name) IESG IESG Server-based Certificate Validation Protocol (SCVP) Server-based Certificate Validation Protocol (SCVP) RFC 3280bis RFC 3280bis CMC (3 documents) CMC (3 documents) WG WG Draft for ECDSA and DSA with SHA-2 family of hash algorithms Draft for ECDSA and DSA with SHA-2 family of hash algorithms ECC algorithms ECC algorithms Credential Selection Criteria Data Structure Credential Selection Criteria Data Structure IETF PKIX WG Lightweight OCSP subjectaltname Service Name SAN IESG RFC 69 IETF RFC Editor Lightweight OCSP RFC Service Name SAN RFC4985 SCVP(Server-based Certificate Validation Protocol) RFC3280 (RFC3280bis) CMC(Certificate Management over CMS) 3 IESG SCVP RFC RFC3280bis CMC RFC Editor RFC3280bis IESG CRL 3 The Lightweight Online Certificate Status Protocol (OCSP) Profile for High-Volume Environments (RFC 5019) 4 Server-based Certificate Validation Protocol (SCVP) (RFC 5055) 77

5 WG WG Internet-Draft SCVP ECC Subject Key Info SCVP http TLS ECC Subject Key Info ML SCVP RFC5055 ECC Working Document Related specifications and Liaison 3-3 Related specifications and and Liaison WebDAV for certificate publication and revocation WebDAV for certificate publication and revocation WebDAV SCEP Simple WebDAV Certificate Enrollment Protocol SCEP Simple Certificate Enrollment Protocol SCEP RFC SCEP RFC Tim Polk AD PKIX CMC (Paul Tim Polk AD PKIX CMC Hoffman) informational RFC (Paul Hoffman) informational RFC PRQP PKI Resource Discovery Protocol PRQP PKI Resource Discovery Protocol URI OpenCA I-D ML URI OpenCA I-D ML PKI Disaster Recovery and Key Rollover PKI CA rollover Disaster Recovery and Key Rollover informational CA rollover RFC informational RFC Three short fixes Three experimental short fixes RFC experimental RFC subject OID WebTrust subject OID complient WebTrust complient WG WG 3-3 Related specifications and Liaison PKIX WG WebDAV PKI Disaster Recovery and Key Rollover 78

6 WebDAV for for certificate publication and and revocation WebDAV WebDAV Representational State Transfer (REST) Representational State Transfer (REST) URL URL CRL CRL DoS DoS /cn=david%20chadwick/ /cn=david%20chadwick/ /cn=crls/ CRL /cn=crls/ CRL 3-4 WebDAV for certificate publication and revocation WebDAV for certificate publication and revocation WebDAV LDAP URL CN Common Name URL URL WebDAV PKI Disaster Recovery and Key Rollover PKIX WG individual draft Disaster Recovery 79

7 PKI PKI Disaster Disaster Recovery and and Key Key Rollover CRL DoS CRL DoS Revocation Authority Attribute Revocation Autohrity Time-Stamp Authority CRL Authority Repository Attribute Autohrity Time-Stamp Authority CRL Repository individual draft WG draft PKIX WG WG individual draft WG draft PKIX WG WG 3-5 PKI Disaster Recovery and Key Rollover PKI Disaster Recovery and Key Rollover Joel Kazin CPS(Certificate Practice Statement) PKI Informational RFC Revocation Authority Attribute Authority (Time-stamp Authority) CRL DoS(Denial of Services) ( ) 3.3. TAM Trust Anchor Management TAM BoF 69 IETF 7 27 ( ) 70 VPN TAM BoF Web VPN 80

8 Carl Wallace out-of-band ( ) TAM problem statement 81

9 Problem Statement Problem statement Problem statement draft-wallace-ta-mgmt-problem-statement-01 draft-wallace-ta-mgmt-problem-statement-01 trust anchor store trust anchor store draft-ietf-dnsext-trustupdate-timers draft-ietf-dnsext-trustupdate-timers trust anchor trust anchor Trust Anchor Trust Anchor rfc3280 rfc3280 OCSP OCSP 3-6 Problem Statement trust anchor store Web IPsec 82

10 Problem Statement trust anchor store add/remove/query trust anchor store add/remove/query oub-of-band oub-of-band trust anchor trust anchor trust anchor store trust anchor store trust anchor out-of-band fingerprint trust anchor out-of-band fingerprint trust anchor store trust anchor store disaster recovery disaster recovery trust anchor authority trust anchor store trust anchor authority trust anchor store trust anchor manager trust anchor delegation trust anchor manager trust anchor delegation 3-7 Problem Statement trust anchor store fingerprint out-of-band BoF 83

11 TAM TAM BoF BoF Tim Polk BoF Tim Polk WG problem statement constituency( WG problem or ) statement constituency( or ) trust anchor manager trust anchor manager " trust anchor " trust anchor APNIC Terry APNIC Terry IETF ML IETF ML WG WG 3-8 TAM BoF TAM BoF Tim Polk BoF WG Trust Anchor Management IETF WG PKIX WG IETF PKIX WG

12 Public-Key Public-Key Infrastructure Infrastructure (X.509) (X.509) WG WG 70 IETF 70 IETF Public-Key Public-Key Infrastructure Infrastructure (X.509) (X.509) WG WG 2007/12/3 13:05-15: /12/3 13:05-15:05 50 Agenda Agenda WG Status and Direction WG Status and Direction PKIX WG Specifications PKIX WG Specifications Certificate and Certificate Revocation List Profile (3280bis) Certificate and Certificate Revocation List Profile (3280bis) Certificate Management Messages over CMS Certificate Management Messages over CMS Subject public key info resolution for ECC Subject public key info resolution for ECC OCSP Algorithm agility OCSP Algorithm agility Related specifications and Liaison Presentations Related specifications and Liaison Presentations Liaison statements received from ITU-T SG17 Liaison statements received from ITU-T SG17 Trust Anchor Management Protocol (TAMP) Trust Anchor Management Protocol (TAMP) Updating ASN.1 modules to 1998 syntax Updating ASN.1 modules to 1998 syntax Credential selection - Mainly a PKI problem Credential selection - Mainly a PKI problem Resource Discovery Protocol Resource Discovery Protocol 3-9 Public-Key Infrastructure (X.509) WG 70 IETF Stefan Santesson Credential selection 70 IETF PKIX WG

13 70 IETF PKIX PKIX WG WG RFC RFC RFC RFC Editor Editor Server-based Certificate Validation Protocol (SCVP) Server-based Certificate Validation Protocol (SCVP) IESG IESG RFC 3280bis RFC 3280bis CMC (3 documents) CMC (3 documents) WG WG Draft for ECDSA and DSA with SHA-2 family of hash Draft for ECDSA and DSA with SHA-2 family of hash algorithms algorithms ECC algorithms ECC algorithms IETF PKIX WG Server-based Certificate Validation Protocol (SCVP) RFC Editor RFC3280bis CMC IESG SCVP RFC5055 RFC3280bis CMC RFC Editor PKIX WG

14 PKIX WG Subject Subject public public key key info info resolution resolution for for ECC ECC ECC (Elliptic ECC (Elliptic Curve Cryptography ) Curve Cryptography ) RFC4055 X RFC4055 RFC4055 X RFC4055 OCSP OCSP Algorithm Algorithm agility agility draft-hallambaker-ocspagility-00.txt draft-hallambaker-ocspagility-00.txt ML ML 3-11 PKIX WG PKIX WG ECC RFC X RFC4055 OCSP Algorithm agility OCSP Open Certificate Status Protocol OCSP ITU-T PKIX WG 5 Certificate and Certificate Revocation List (CRL) Profile (RFC 4055) 6 ANSI X Public Key Cryptography for the Financial Services Industry, The Elliptic Curve Digital Signature Algorithm (ECDSA) 87

15 PKIX WG Related Related Specifications Specifications and and Liaison Liaison Presentations Presentations Liaison statements received from ITU-T SG17 Liaison statements received from ITU-T SG17 ITU-T PKIX WG ITU-T PKIX WG streetaddress upper bound unbound streetaddress upper bound unbound bufferoverflow bufferoverflow CA CA no responsible and no mechanism no responsible and no mechanism 3-12 PKIX WG ITU-T DN Distinguished Name DN streetaddress organizationname PKIX WG PKI bufferoverflow CA CA CA PKIX WG IETF PKIX WG 88

16 69 IETF BoF TAM PKIX WG PKIX WG WG ML 70 IETF PKIX WG PKIX WG Trust Trust Anchor Anchor Management Management Protocol Protocol (TAMP) (TAMP) IETF-69 TAM BoF WG IETF-69 TAM BoF WG TAM Protocol PKIX WG TAM Protocol PKIX WG Working Item Working Item ML ML Updating Updating ASN.1 ASN.1 modules modules to to syntax syntax ASN ASN.1 ASN ASN ASN.1 ANY ASN.1 ANY LTANS Tobias der/ber LTANS Tobias der/ber 3-13 PKIX WG ASN.1 WG individual PKIX WG WG WG PKIX WG ASN ASN PKIX WG RFC 89

17 PKIX WG Credential Credential selection selection - - Mainly Mainly a a PKI PKI problem problem Resource Resource Discovery Discovery Protocol Protocol http http ML strow poll ML strow poll 3-14 PKIX WG Credential selection Resource Discovery Protocol Credential selection Resource Discovery Protocol http Internet-Draft ML 3.5. IETF X.509 PKIX WG PKI Trust Anchor Management 2007 PKIX WG 3 RFC

18 Russ Housley PKIX WG PKI PKIX WG PKI 91

19 92

/02/ /09/ /05/ /02/ CA /11/09 OCSP SubjectAltName /12/02 SECOM Passport for Web SR

/02/ /09/ /05/ /02/ CA /11/09 OCSP SubjectAltName /12/02 SECOM Passport for Web SR for Web SR Certificate Policy Version 2.50 2017 5 23 1.00 2008/02/25 1.10 2008/09/19 1.20 2009/05/13 5 1.30 2012/02/15 5.6 CA 1.40 2012/11/09 OCSP SubjectAltName 2.00 2013/12/02 SECOM Passport for Web

第3 章 電子認証技術に関する国際動向

第3 章電子認証技術に関する国際動向