PKI 1
/ SSL/TLS PKI 28 Oct 2005 PKI /JNSA PKI Day 3 PKI? 2
RFC 2459/RFC 3280/RFC 3280bis CRL(RFC 2459/RFC 3280/RFC 3280bis) OCSP(RFC 2560/Light-weight OCSP) SCVP(SCVP) CMP(RFC 2510/RFC 4210) CRMF(RFC 2511/RFC 4211) CP&CPS(RFC 2527/RFC 3647) SSL/TLS/IPsec/Secure DNS(DNS extensions) (S/MIME) SSH (Secure Shell) (LTANS) SPAM DKIM 28 Oct 2005 PKI /JNSA PKI Day 5 3
/CRL RFC 2459 1999 1 129 RFC 3280Obsolete RFC 3280 2002 4 129 RFC 3280bis 2005 7 138! 2006 2RFC 28 Oct 2005 PKI /JNSA PKI Day 7 RFC 3280bis SHA-1 2000 () Qualified Certificate?? 4 28 Oct 2005 PKI /JNSA PKI Day 8 4
QC()? IETF RFC 3039 (Qualified Certificate) RFC 3739 28 Oct 2005 PKI /JNSA PKI Day 9 QC()? X.509 v3 EUdirective ETSI RFC 3739 28 Oct 2005 PKI /JNSA PKI Day 10 5
QC European Directive on Electronic Signature Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures IETFStandard Track 911 IC 28 Oct 2005 PKI /JNSA PKI Day 11 QC ETSI TS 101 862 V1.3.2 (2004-06) Title: Qualified Certificate profile ETSI TS 101 456 V1.2.1 (2002-04) Title: Policy requirements for certification authorities issuing qualified certificates ETSI TS 102 158 V1.1.1 (2003-10) Title: Electronic Signatures and Infrastructures (ESI);Policy requirements for Certification Service Providers issuing attribute certificates usable with Qualified certificates RFC 3739 Internet X.509 Public Key Infrastructure: Qualified Certificates Profile 2004/3 RFC 3039 28 Oct 2005 PKI /JNSA PKI Day 12 6
? PKI CRL?? Trust Anchor (Trust Point)?»?» CTL (Certificate Trust List)? 28 Oct 2005 PKI /JNSA PKI Day 14 7
CRL CRL (Certificate Revocation List) OCSP CRL Distribution Point (CRLDP)! CRLDP CRL CRL! CRL Issuing Distribution Point CRL AIA (Authority Information Access: ) (CRL-AIA) CRL 28 Oct 2005 PKI /JNSA PKI Day 15 () MicrosoftWindows PKI CPU? JAVA PathBuilder/Microsoft Crypto APISecurity API SCVP 28 Oct 2005 PKI /JNSA PKI Day 16 8
CRL (EE) CRL (CA) A A (CA) B (CA) A (EE) (CA) (EE) CRL B 28 Oct 2005 PKI /JNSA PKI Day 17 OCSP CRL (CA) (EE) A A (CA) B (CA) CRL A (EE) (CA) (EE) OCSP B OCSP 28 Oct 2005 PKI /JNSA PKI Day 18 9
SCVP (EE) A (CA) A B (CA) CRL (CA) A (EE) (EE) CRL B SCVP SCVP 28 Oct 2005 PKI /JNSA PKI Day 19 10
SSL/TLS S/MIME IPsec 28 Oct 2005 PKI /JNSA PKI Day 21 SSL/TLS 11/564 IETF 2-3? HTTP 1.1 Server Name Indication 28 Oct 2005 PKI /JNSA PKI Day 22 11
SSL/TLS 28 Oct 2005 PKI /JNSA PKI Day 23 SSL/TLS 28 Oct 2005 PKI /JNSA PKI Day 24 12
SSL/TLS C S S S C C 28 Oct 2005 PKI /JNSA PKI Day 25 S/MIME Ver.3.1 RFC 3850/RFC 3851/RFC 3852 AES S/MIME Capability 28 Oct 2005 PKI /JNSA PKI Day 26 13
S/MIME () 28 Oct 2005 PKI /JNSA PKI Day 27 (Opaque) 28 Oct 2005 PKI /JNSA PKI Day 28 14
(Clear) 28 Oct 2005 PKI /JNSA PKI Day 29! e 300dpi 256(1677) TIFF PDF OCR» PKI 28 Oct 2005 PKI /JNSA PKI Day 30 15
PKI / ( ) ( ) () ( ) () (3-10) 28 Oct 2005 PKI /JNSA PKI Day 31 RFC 3161 (TSA, Time Stamping Authority) 1ab5c98f... 2004/2/14 15:00:00 1ab5c98f... TimeStamp 2004.2.14 15:00:00 TSA 28 Oct 2005 PKI /JNSA PKI Day 32 16
MAC XML RFC3161 ETSI TS 101 861 ISO/IEC18014-2 ISO/IEC18014-2 ISO/IEC18014-2 ISO/IEC18014-2 OASIS DSSTIML ISO/IEC18014-3 ISO/IEC18014-3 RSA ISO/IEC18014-3 TSA ETSI TS 102 023(RFC 3628) ETSI TS 101 733 (RFC 3126),XAdES,DVCS,TAP 28 Oct 2005 PKI /JNSA PKI Day 33 RFC 3161 HTTP FILE SMTP Socket TCP 28 Oct 2005 PKI /JNSA PKI Day 34 17
28 Oct 2005 PKI /JNSA PKI Day 35 ETSI TS 101 861 TSP TSP SHALL NOT) SHA-1 RIPEMD-160 MD5MAY) TSP accuracy,nonce(must) ordaring FALSE SHA-1withRSA(MUST) RSA1024bits (MUST) 2048bits (SHOULD) DSApq 1024bits (SHALL) HTTP nonce(must) accuracy 1 orderingfalse gentime 1 non-critical (SHALL) (MUST) SHA1 MD5RIPEMD160 SHA-1withRSA(MUST) RSA1024bits (MUST) 2048bits (SHOULD) TSA X.520 NameC ST O CN ST HTTP 28 Oct 2005 PKI /JNSA PKI Day 36 18
A A CRL A A 3 t 28 Oct 2005 PKI /JNSA PKI Day 37 TimeStamp 2004.2.14 15:45:00 CRL A A A 3 TimeStamp 2004.2.14 15:45:00 5 7 t 28 Oct 2005 PKI /JNSA PKI Day 38 19
(TTP) DVCS (Data Validation & Certification Protocol, RFC 3029) TAP (Trusted Archival Protocol, IETF ) RFC 3126 Electronic Signature Formats for long term electronic signatures ETSI TS 101 733 ESI Electronic Signature Formats ETSI TS 101 903 XML Advanced Electronic Signatures (XAdES) 28 Oct 2005 PKI /JNSA PKI Day 39 DVCS (Data Validation & Certification Protocol) cpd: Certification of Possession of Data ccpd: Certification of Claim of Possession of Data vsd: Validation of Digitally Signed Document vpkc: Validation of Public Key Certificates 28 Oct 2005 PKI /JNSA PKI Day 40 1. DVCS 8. DVC 2. DVCS (cpd,ccpd,vsd,vpkc) 7. DVCS DVCS 6. Timestamp Token TSA 3. 4. DVC 5. Timestamp Token 20
TAP (Trusted Archival Protocol) () () TAP (TAA) TAP 28 Oct 2005 PKI /JNSA PKI Day 41 RFC 3126 (Electronic Signature Formats for long term electronic signatures) ES-A ES-A ES-A ES-X Time Stamp Time Stamp Time Stamp 28 Oct 2005 PKI /JNSA PKI Day 42 21
XAdES (ETSI TS 101 903 XML Advanced Electronic Signatures) <dsig:signature Id="Sig" XA ES-A XA ES-X-L XA ES-X xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> <dsig:signedinfo> : </dsig:signedinfo> <dsig:signaturevalue>...</dsig:signaturevalue> <dsig:keyinfo> : </dsig:keyinfo> <dsig:object> <XAdES:QualifyingProperties xmlns:xades="http://uri.etsi.org/01903/v1.1.1#" Target="Sig"> <XAdES:SignedProperties> <XAdES:SignedSignatureProperties> <XAdES:SigningTime> </XAdES:SigningTime> XML Signature XA ES-C XA ES-T XA ES Signed Property UnSigned Property Time- Stamp Over digital SIgnature Complete Certificate And Revocation referrence Time-Stamp Over Certificate path references and revocation status referrences OR Over ds:signature element Time-Stamp in XAdES-T certificate path referrences and revocation status referrences Certificate path data and revocation status data Sequence of Time-Stamps Over XAdES-X-L <XAdES:SigningCertificate> </XAdES:SigningCertificate> <XAdES:SignaturePolicyIdentifier> </XAdES:SignaturePolicyIdentifier> <XAdES:SignatureProductioPlace> </XAdES:SignatureProductioPlace>? <XAdES:SignatureRole> </XAdES:SignatureRole>? </XAdES:SignedSignatureProperties> < XAdES:SignedDataObjectProperties> XAdES <XAdES:DataObjectFormat > </XAdES:DataObjectFormat >* <XAdES:CommitmentTypeIndication> </XAdES:CommitmentTypeIndication>* <XAdES:AllDataObjectsTimeStamp> </XAdES:AllDataObjectsTimeStamp> * <XAdES:ndividualDataObjectsTimeStamp> </XAdes:AllDataObjectsTimeStamp>* </XAdES:SignedDataObjectProperties> </XAdES:SignedProperties> <XAdES:UnsignedProperties> <XAdES:UnsignedDataObjectProperties> <XAdES:UnsignedDataObjectPropertiy> <esign:accepttimestamp xmlns:esign= http://www.nttcom.co.jp/2002/12/esign/v1.0.0# > </esign:accepttimestamp> </XAdES:UnsignedDataObjectProperty> <XAdES:UnsignedDataObjectProperties> <XAdES:UnsignedSignatureProperties> <XAdES:CounterSignature> </XAdES:CounterSignature>* <XAdES:SignatureTimeStamp> </XAdES:SignatureTimeStamp>+ XAdES-T <XAdES:CompleteCertificateRefs> </XAdES:CompleteCertificateRefs> <XAdES:CompleteRevocationRefs> </XAdES:CompleteRevocationRefs> XAdES-C (<XAdES:SigAndRefsTimeStamp> </XAdES:SigAndRefsTimeStamp>* <XAdES:RefsOnlyTimeStamp> </XAdES:RefsOnlyTimeStamp>*) <XAdES:CertificateValue> </XAdES:CertificateValue> <XAdES:RevocationValue> </XAdES:RevocationValue> <XAdES:ArchiveTimeStamp> </XAdES:ArchiveTimeStamp>+ </XAdES:UnsignedSignatureProperties> </XAdES:UnsignedProperties> </XAdES:QualifyingProperties> </dsig:object> </dsig:signature> XAdES-X XAdES-X-L XAdES-A 28 Oct 2005 PKI /JNSA PKI Day 2003 43 TSA (long-term archive) 28 Oct 2005 PKI /JNSA PKI Day 44 22
ETSI IETFLTANS-WG Adobe? 28 Oct 2005 PKI /JNSA PKI Day 45 IPsec IKEv1/ISAKMP IKEv2 IETF pki4ipsec WG 28 Oct 2005 PKI /JNSA PKI Day 46 23
Secure DNS DNS DHCPDynamic Update SPAM 28 Oct 2005 PKI /JNSA PKI Day 47 Microsoft MS Windows Windows 2000 Windows NT Windows XP WindowsInternet Explorer Outlook Outlook ExpressMicrosoft Corporation Sun Microsystems SunJava Solaris Java JDKSun Microsystems 28 Oct 2005 PKI /JNSA PKI Day 48 24
25