1 Memorandum for multi-domain PKI interoperability multidomain-pki-00.txt

Slides:

Advertisements

Similar presentations

© ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit.. Page - 1 Seminar on Standardization and ICT Development for the Information.

Advertisements

Nigel Titley. RIPE 54, 9 May 2007, Tallinn, Estonia. 1 RIPE NCC Certification Task Force Update Presented by Nigel Titley RIPE NCC.

Status Report of the Study Group on MDR/MFI Implemenations ISO/IEC JTC 1/SC 32/WG2 Interim Meeting Santa Fe, NM, USA, November 11~15, 2013 Dongwon Jeong,

Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

Copyright Judith Spencer This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

Extended Validation Models in PKI Alternatives and Implications Marc Branchaud John Linn

© ITU Telecommunication Development Bureau (BDT) – E-Strategies Unit.. Page - 1 Building Trust and Security for E-government Dubai, United Arab.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,

1 Current Status of Japanese Government PKI Systems Yasuo Miyakawa*+, Takashi Kurokawa*, Akihiro Yamamura* and Yasushi Matsumoto+ * National Institute.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

MPKI Interoperability I-D ChangeLog from -01 to -02 Jan 16, 2004 Masaki SHIMAOKA SECOM Trust.net.

MPKI Interoperability I-D ChangeLog from -00 to -01 Oct 27, 2003 Masaki SHIMAOKA SECOM Trust.net.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

EEMA’s pki Challenge Paul Green – VeriSign and pkiC testing participant.

Uncle Sam, Meet The PKI! Richard Guida Chair, Federal PKI Steering Committee Michèle Rubenstein Department of the Treasury,

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

SMUCSE 5349/7349 Public-Key Infrastructure (PKI).

The U.S. Federal PKI and the Federal Bridge Certification Authority

EDUCAUSE Fed/Higher ED PKI Coordination Meeting

The 4BF The Four Bridges Forum Higher Education Bridge Certificate Authority.

Interoperation Between a Conventional PKI and an ID-Based Infrastructure Geraint Price Royal Holloway University of London joint work with Chris Mitchell.

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.

Higher Education Bridge Certificate Authority (HEBCA) Project Progress Fed/Ed December 2004.

Federal Bridge Certification Authority n Background n Overview n EMA Challenge Test structure n Participants n Results n Conclusions and lessons learned.

Certificate Path Building draft-ietf-pkix-certpathbuild-01.txt Peter Hesse Matt Cooper Yuriy Dzambasow Susan Joseph Richard Nicholas.

9/20/2000www.cren.net1 Root Key Cutting and Ceremony at MIT 11/17/99.

The Federal Bridge Certification Authority – Description and Current Status Peter Alterman, Ph.D. Senior Advisor to the Chair, Federal PKI Steering Committee.

Controller of Certifying Authorities Public Key Infrastructure for Digital Signatures under the IT Act, 2000 : Framework & status Mrs Debjani Nag Deputy.

IDA Security Experts Workshop Olivier LIBON Vice President – GlobalSign November 2000.

Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

Trust Anchor Management Problem Statement 69 th IETF Trust Anchor Management BOF Carl Wallace.

ECE454/599 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2012.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

HEPKI-TAG UPDATE Jim Jokl University of Virginia

Java Security Pingping Ma Nov 2 nd, Overview Platform Security Cryptography Authentication and Access Control Public Key Infrastructure (PKI)

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.

Bridge Certification Architecture A Brief Demo by Tim Sigmon and Yuji Shinozaki June, 2000.

Digital Signatures A Brief Overview by Tim Sigmon April, 2001.

The NIH PKI Pilots Peter Alterman, Ph.D. … again.

HEPKI-PAG Policy Activities Group David L. Wasley University of California.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Update on PKI Activities in the Spanish Academic Network PKI-COORD November 26, Amsterdam.

By Umair Ali. Dec 2004Version 1 -PKI - a security architecture – over the internet. -Provides an increased level of confidence for exchanging information.

© 2003 The MITRE Corporation. All rights reserved For Internal MITRE Use Addressing ISO-RTO e-MARC Concerns: Clarifications and Ramifications Response.

Jimmy C. Tseng Assistant Professor of Electronic Commerce

The Federal PKI Or, How to Herd Worms Peter Alterman Senior Advisor, Federal PKI Steering Committee.

Path Construction “It’s Easy!” Mark Davis. Current WP Scope u Applications that make use of public key certificates have to validate certificate paths.

PKI Summit August 2004 Technical Issues to Deploying PKI on Campuses.

Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.

“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.

Higher Ed Bridge CA Extending Trust Across Higher Education - And Beyond David L. Wasley University of California.

User Interface Requirement for the Internet X.509 PKI Jaeho Yoon (on behalf of Tae K. Choi) KOREA INFORMATION SECURITY AGENCY August 4, 2004.

Creating and Managing Digital Certificates Chapter Eleven.

Bridge Certification Architecture A Brief Overview by Tim Sigmon May, 2000.

Key Management. Authentication Using Public-Key Cryptography  K A +, K B + : public keys Alice Bob K B + (A, R A ) 1 2 K A + (R A, R B,K A,B ) 3 K A,B.

HEBCA – The Operating Authority July 2005 Dartmouth PKI Summit.

Electronic Security and PKI Richard Guida Chair, Federal PKI Steering Committee Chief Information Officers Council

1 Public Key Infrastructure Dr. Rocky K. C. Chang 25 February, 2002.

The Trusted Network · · · LEFIS PKI · · · 2 nd June, 2006 · Sofia by Leonardo Catalinas · May 2006

Higher Education Bridge Certification Authority Scaleable Linking of PKI trust domains Scaleable Linking of PKI trust domains David L. Wasley Fall 2006.

Higher Education Bridge Certification Authority Scaleable Linking of PKI trust domains Scaleable Linking of PKI trust domains David L. Wasley Fall 2006.

NIST Path Validation Protection Profiles

Higher Education Bridge Certification Authority

Technical Approach Chris Louden Enspier

Resource Certificate Profile

Presentation transcript:

1 Memorandum for multi-domain PKI interoperability multidomain-pki-00.txt Masaki SHIMAOKA

2 Motivations (Actual operational issues) Japanese GPKI is based on Bridge CA architecture. –Needed various interoperability experiments –Raised not only technical issues, but many operational issues. Bridge CA MUST be neutral and strict. –Needs domain certification criteria. –MUST restrict connecting with irregular trust model which has not interoperability. Some confusing example –CA-X cross-certifies subordinate CA-Y of another domain. Does CA-X trust not the superior CA-Z of CA-Y, though the ARL of CA-Y is issued by CA-Z? How does CA-X trust and verify the ARL issued by CA-Z? –CA-X and CA-Y cross-certify each other mutually. When CA-X updates cross-certificate, does CA-Y re-generate not crossCertificatePair? –CA-X only populate self-signed certificate to own domain internally. This CA-X looks like subordinate CA from outside.

3 What’s issue? (Theoretical issues) How does Relying-Party (RP) trust other CA? –Cross-Certification from Trust Anchor of RP. → Single trust point model –Trust the other CA directly. → Multi trust point model What is PKI domain? –Which CA SHOULD be recognized as same PKI domain? –How should we trust other PKI domain?

4 Objectives & Scope Objectives –To Achieve multi-domain PKI interoperability We have No standard for multi-domain PKI. –To limit irregular PKI in multi-domain PKI What kind of PKI does have interoperability, or not have? Scope –To Establish the guideline for PKI domain certification criteria Establish a trust relationship between CAs Establish a trust model for multi-domain PKI –As Best Current Practice, not specification

5 Contents of the Document 1.Introduction 2.Terminology 3.Trust Relationship –Define the trust relationship between CAs 4.Single-domain PKI –Define the model for single-domain PKI 5.Multi-domain PKI –Define the model for multi-domain PKI 6.Considerations

6 Section 3: Trust Relationship Trust List –List of trusted CA certificate User Trust List is managed by individual user Authority Trust List is managed by trusted authority (CA) Cross-Certification –Unilateral cross-certification –Bi-lateral cross-certification Subordination –Peculiar unilateral cross-certification –Subordinate CA has no self-signed certificate.

7 Section 4: Single-domain PKI Define the suitable models for participant to multi-domain PKI –Simple PKI –Hierarchy PKI –Mesh PKI Hierarchy Simple Mesh : CAs (translucent is not Trust Anchor) : EEs colored the same as their trust anchor : issued certificate : issued self-signed certificate

8 Section 5: Multi-domain PKI Multi-trust point model –Trust List Single-trust point model –Peer-to-Peer model based on cross-certification –Super domain model based on unilateral cross-certification –Hub model a.k.a Bridge CA model Peer-to-Peer Trust List Super Domain Hub RP

9 Section 6: Considerations Certificate & CRL Profile –Consider some extensions for achieving multi-domain PKI interoperability Repository –Consider how to obtain the required information for path construction and validation in multi-domain PKI Path Validation –Consider the path validation algorithm and parameters for multi- domain PKI Inter-domain consensus for cross-certification –Policy mapping –Validity of each cross-certificate validity of self-signed certificate Consider each CA key update

10 To Do To concretize a relation between PKI domain and domain policy To consider more about Hub model –Too complex To clear a relation with other dependent specification To consider about hybrid (heterogeneous) trust model –CA-X trusts CA-Y by unilateral cross-certification –CA-Y trusts CA-X by trust list I want co-authors

11 Related Resources Challenge PKI project Homepage –Multi-domain PKI Interoperability Framework – Internet-Draft for this – pki-00.txt Implementation Problems on PKI – lange2001.html Interoperability Issues for multi-domain PKI –

12 Interoperability experiments I had joined –Japanese GPKI interoperability experiments Interconnecting GPKI BCA with some governmental CA and private CA Path validation and path control using some constraints [Sorry, Japanese only] –JKST-IWG (JP,KR,SG,CT Interoperability WG of ASIA PKI Forum) International CA-CA interoperability experiments Path processing experiments PKCS#11 API interoperability experiments –English available, but not enough yet –JNSA/IPA Challenge PKI 200x CA-CA Interoperability Experiments (2001) PKI Interoperability Test Suite (2002) –Ready for English

13 Thank you. Masaki SHIMAOKA