Challenge PKI 2002 IETF PKI <Ryu.Inada@fujixerox.co.jp> 2003 64
Agenda IETF? IETF PKI JNSAIETF Copyright (c) 2003 NPO Page 2
IETF? RFC www.ietf.org 8 WG Applications, General, Internet, Operations and Management, Routing, Security, Sub-IP, Transport8 3 (2 1 ) 7 (Vienna) Copyright (c) 2003 NPO Page 3
IETF ( 2) Copyright (c) 2003 NPO Page 4
IETF IPv6 / / IP IP (SIP) IPsec/SSH/PKI Copyright (c) 2003 NPO Page 5
IETF Internet / Internet-Drafts IESG IT Copyright (c) 2003 NPO Page 6
56 th IETF 2003316 321 San Francisco Hilton 34 325 1640( ) Copyright (c) 2003 NPO Page 7
IETF PKI Security Area PKIX-WG Security Area S/MIME TLS IP Area IPsec Operation AAA IETF PKI Copyright (c) 2003 NPO Page 8
IETF PKI S/MIME, TLS, IPsec, SIP, Diameter S/MIME, TLS, IPsec, SIP, Diameter S/MIME, IPsec, SIP, Diameter / PKIX PKI BOF/WG? Copyright (c) 2003 NPO Page 9
PKIX-WG RFC 337: DPD(Delegated Path Discovery)/DPV(Delegated Path Verification) EE 56 th IETF PKIX-WGSCVP Proxy Certificate / Qualified Certificate? PKI TAP OASIS/W3C/EESSI/JNSA Copyright (c) 2003 NPO Page 10
JNSAIETF 54@ PKIX-WGChallenge PKI 2001 55@Atlanta PKIX-WGChallenge PKI 2002 56@San Francisco PKIX-WGChallenge PKI 2002 Copyright (c) 2003 NPO Page 11
56 th IETF Security Area Director MITJeffrey I. Schiller Russell Housley Virgil Security RSA Laboratories. RFC2459/3280 S/MIME WG Copyright (c) 2003 NPO Page 12
56 th IETF PKIX-WG : 76 Chairs: Stephen Kent(BBN), Tim Polk(NIST) 19 Internet-Drafts(I-Ds) Last Call SCVP, Proxy Cert Expire Draft Area Director Repository Locator Service Copyright (c) 2003 NPO Page 13
Copyright (c) 2003 NPO Page 14
Agenda DPD/DPV standard selection process SCVP Discussion Proxy Certificates Signature Algorithms & Key Usage Trusted Archive Protocol Qualified Certificates Profile LDAP/X.500 alignment Subject Identification Method EESSI JNSA ChallengePKI 2002 LDAP PKI Issues Liaison Copyright (c) 2003 NPO Page 15
DPV/DPD Strawpoll Tim Polk(NIST) RFC3379 SCVP, CVP, DVCS, OCSPv2 Matrix Matrix ML Matrix PKIXML SCVP RFC3379 Copyright (c) 2003 NPO Page 16
SCVP - Trevor Freemen (Microsoft) 5 57 th @Vienna LastCall MAC RFC3379? ValidationPolicy S/MIME, IPsec, TLS Copyright (c) 2003 NPO Page 17
Proxy Cert - Von Welch (Argonne Labs) EE ( )EE issueree ProxyCertificate critical ProxyCert ProxyCert WGLast Call Copyright (c) 2003 NPO Page 18
Copyright (c) 2003 NPO Page 19
Signature Algorithms & Key Usage Jim Schaad (Soaring Hawk Consulting) PKCS#1PSS/OAEPDH/DSA keyusage algorythmid Russ, Steve Kent, Tim Copyright (c) 2003 NPO Page 20
Copyright (c) 2003 NPO Page 21
Trusted Archive Protocol Carl Wallace (Cygnacom) ( ) Data Validation: Evidence verification Path Processing: Evidence Collection TSP message CMS www.openevidence.org DVCS? WG Draft MLTAP DVCS Peter Sylvester PKIXEXT PKIXAPPS WG Copyright (c) 2003 NPO Page 22
Copyright (c) 2003 NPO Page 23
QC Profile - Stefan Santesson (RetroSpekt) Scope For identify certs issued to physical persons # Legal Regurations? DN issuer RFC3280 keyusage nonrepudiation Copyright (c) 2003 NPO Page 24
Copyright (c) 2003 NPO Page 25
LDAP/X.500 alignment Skip Slone (Lockheed-Martin) X.500 5 th 2005 ;binary enhanced Matching nonrepudiation contentcommitment Copyright (c) 2003 NPO Page 26
Subject Identification Method - Park Jong-Wook (KISA) non-public peronsl ID sensitive ID: national Id protection ID: national Id 3 revise Copyright (c) 2003 NPO Page 27
Copyright (c) 2003 NPO Page 28
EESSI Riccardo Genghini European Electronic Signature Standardization Initiative EU 57 th Vienna PKIX/EESSI Copyright (c) 2003 NPO Page 29
Copyright (c) 2003 NPO Page 30
JNSA ChallengePKI2002 JNSA Challenge PKI 2002 Copyright (c) 2003 NPO Page 31
Copyright (c) 2003 NPO Page 32
Copyright (c) 2003 NPO Page 33
LDAP PKI Issues David Chadwick (Univ of Salford) subjectdn CRL component matching Attribute Extraction CA/RA LDAP LDAP ComponentMatching Copyright (c) 2003 NPO Page 34
Copyright (c) 2003 NPO Page 35
Copyright (c) 2003 NPO Page 36
Copyright (c) 2003 NPO Page 37
Multi Domain PKI Test Suite -- Result of JNSA Challenge PKI 2002 -- Ryu Inada <Ryu.Inada@fujixerox.co.jp> As representative of NPO Japan Network Security Association Sponsored by IT Promotion Agency, Japan
JNSA Challenge PKI 2002 As we reported on 11-Nov-2002/56 th IETF, we, JNSA, make a Multi Domain PKI Test Suite. We finished work at 28-Feb-2003, and prepare to open it public and translation to English. Estimated date of open to public: End of June 2003 Estimated date of translation to English : End of June 2003 20-Mar-2003 56th IETF PKIX-WG 2
20-Mar-2003 56th IETF PKIX-WG 3
PKI interoperability test suite 20-Mar-2003 56th IETF PKIX-WG 4
Challenge PKI 2002 - Test Cases 20-Mar-2003 56th IETF PKIX-WG 5
Sample implementations In Java Worked on JDK 1.4 Based on Path Discovery/Path Validation API which provided from reference implementation. And additional Path Discovery/Path Validation logic which concerned multi domain PKI environment. In C++ Worked on Microsoft Crypto API. Using Windows original Revocation Service Provider and additional Path Discovery/Path Validation logic which concerned multi domain PKI environment. 20-Mar-2003 56th IETF PKIX-WG 6
Requirement of GPKI and implementations Requirement Impl. of GPKI *1 CRL IDP ( issuing distribution point ) 20-Mar-2003 56th IETF PKIX-WG 7
Sample implementation for 20-Mar-2003 56th IETF PKIX-WG 8
Sample implementation for JAVA GPKICertPathBuilderSpi GPKICertPathChecker GPKICertPathValidatorSpi java.security.cert.* We extend original JDK s path builder/path checker interface. 20-Mar-2003 56th IETF PKIX-WG 9
To achieve more Applicable Test Suite... Provide Framework more applicable & reusable Easy to extract minimal test case There are too many test cases about 256 cases. For easily modified to you purpose: PKIX, GPKI, and other frameworks Ready for Multi-domain PKI Re-usable for others No depend on environment Run on your local environment maybe linux or cygwin? We need two Reference!! Define multi-domain PKI PKI Define DB DB Schema to to re-use 20-Mar-2003 56th IETF PKIX-WG 10
Related Links NPO JNSA http://www.jnsa.org/english/e_index.html IPA Security Center http://www.ipa.go.jp/security/index-e.html JNSA Challenge PKI 2002 http://www.jnsa.org/english/e_active2_10.html Implementation Problems on PKI ( JNSA Challenge PKI 2001 ) http://www.ipa.go.jp/security/fy13/report/pki_interop/chala nge2001.html The report of Challenge PKI in IETF Atlanta http://www.ietf.org/proceedings/02nov/slides/pkix-5.pdf 20-Mar-2003 56th IETF PKIX-WG 11
Demonstration 20-Mar-2003 56th IETF PKIX-WG 12