PKI Forum Application Cert Interop Project David Crowe
Project Purpose To establish interoperability of application certs Pertains both to certs themselves, issued by different vendors’ CAs, and to the certs’ usage by applications Focus is on finding successful interoperations rather than on seeking “complete” interoperability between products
Project Deliverables Public demonstration –to cover a chosen subset of our successful tests –to be scheduled by Sep 2000 Results Matrices –A matrix for each script listing successfully tested variants
Matrix for SSL Script
Matrix for S/MIME Script
Project Plan (so far) Solicit participation (14 Apr 2000) Agree on project plan, scenarios, applications, & algorithms (Apr-May 2000) Flesh out the scenarios (May 2000) Perform tests through bilateral electronic communication (May-Jun 2000) Have 1st communal "bake-off" (26 Jun 2000 in Dublin)
Project Plan (from now on) Provide TWG with status update, solicit feedback (28-29 Jun 2000 in Dublin) Fix problems encountered (Jul-Aug 2000) Plan public demo (Jul 2000) Have 2nd communal "bake-off" to verify success (12 Sep 2000 in Montreal)
Achievements to Date Participants lined up (more are welcome) Test scripts prepared (more are welcome) –Inter-PKI application cert usage (SSL) –S/MIME Remote testing underway Initial bake-off held
Test Scripts Have different variants Participants (& pairs of participants) will test only variants of interest to them Each successful test of a variant is shown as a row in the results matrix Internal test results are private to the participants involved (but results matrices are published)
SSL Script Tests one PKI vendor's web server's ability to authenticate user presenting another PKI vendor's cert Variants: –status checking: CRLs (v1 & v2) & OCSP (with CA signer, designated signer, & out-of- band-agreed signer) –algorithms: RSA & DSA
S/MIME Script Tests S/MIME transfer between two users possessing certs from different PKI vendors Focuses on cert interoperability Separate scripts might be desired for testing client interoperability
S/MIME Script (2) Variants: –status checking: CRLs (v1 & v2) & OCSP (with CA signer, designated signer, & out-of- band-agreed signer) –single & dual certs – client –S/MIME v2 & v3
Early Test Findings Early tests relate to cert path construction & validation—for which script is not written yet Tests indicate need for configuration notes in addition to results matrix rows Test results are preliminary, with tests needing to be rerun using full written script
Cert Path Construction & Validation Results Vendor for CACA SoftwareVendor for Application Application Software How Constructed Status Checking Algorithm for CAs Algorithm for End-Entity Certs XcertSentry CAEntegrityPKI BenchManuallyCRLRSA XcertSentry CAEntegrityPKI BenchManuallynoneRSA KeonEntegrityPKI BenchManuallyCRLRSA KeonEntegrityPKI BenchManuallynoneRSA XcertSentry CACeloCelocom MailManuallyCRLRSA XcertSentry CACeloCelocom MailManuallynoneRSA XcertSentry CACeloCelocom MailManuallyCRLmixed RSA & DSA RSA XcertSentry CACeloCelocom MailManuallynonemixed RSA & DSA RSA XcertSentry CACeloSignature Plugin ManuallyCRLRSA XcertSentry CACeloSignature Plugin ManuallynoneRSA XcertSentry CACeloSignature Plugin ManuallyCRLmixed RSA & DSA RSA XcertSentry CACeloSignature Plugin Manuallynonemixed RSA & DSA RSA XcertSentry CACeloSSL-GatewayManuallyCRLRSA XcertSentry CACeloSSL-GatewayManuallynoneRSA XcertSentry CACeloSSL-GatewayManuallyCRLmixed RSA & DSA RSA XcertSentry CACeloSSL-GatewayManuallynonemixed RSA & DSA RSA XcertSentry CAEntegrityPKI BenchPKCS#7 built by Celo Signature Plugin CRLRSA
Project Participants Baltimore Technologies Celo Communications Entegrity Solutions Entrust JAWS Technologies Netlexis Rainbow Technologies RSA Security Tivoli (IBM) Xcert
Discussion Tomorrow Suggestions for improvements to project plan