UTF8String Deployment Status and Migration Plan Akira KANAOKA Challenge PKI Project Japan Network Security Association Sponsored by IT Promotion Agency,

Slides:

Advertisements

Similar presentations

PKI Strategy PKI Requirements Standard –Based on e-MARC or other Certificate Policy Statements –Specify key aspects that must be met by CA Cert format.

Advertisements

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

MPKI Interoperability I-D ChangeLog from -01 to -02 Jan 16, 2004 Masaki SHIMAOKA SECOM Trust.net.

MPKI Interoperability I-D ChangeLog from -00 to -01 Oct 27, 2003 Masaki SHIMAOKA SECOM Trust.net.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report.

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.

CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

Certificate Path Building draft-ietf-pkix-certpathbuild-01.txt Peter Hesse Matt Cooper Yuriy Dzambasow Susan Joseph Richard Nicholas.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

1 Lecture 11 Public Key Infrastructure (PKI) CIS CIS 5357 Network Security.

CNRI Handle System and its Applications

Best Practices Working Group June 19-21, 2001 Munich, Germany.

4.3 Apply for a Job Goals: Identify ways to find out about job openings. Describe the job application process.

Global Registry Services 1 INTERNATIONALized Domain Names Testbed An Overview On VeriSign Global Registry Services.

NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.

Development of metadata in the National Statistical Institute of Spain Work Session on Statistical Metadata Genève, 6-8 May-2013 Ana Isabel Sánchez-Luengo.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

21 May 2000Chinese Domain Name Workshop1 Status and planning reports of JPNIC 宇井隆晴 (UI, Takaharu) JPNIC.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

European Commission DG Enterprise VIRTUAL ENVIRONMENT FOR INNOVATION MANAGEMENT TECHNIQUES VERITE Kick-off meeting Thessaloniki November 2001.

Compliance Defects in Public- key Cryptography “ A public-key security system trusts its users to validate each others’s public keys rigorously and to.

IHEP Grid CA Status Report Wei F2F Meeting 8 Mar Computing Centre, IHEP,CAS,China.

A Brief Overview of draft-ietf-sidr-cp-01.txt draft-ietf-sidr-cps-rirs-01.txt draft-ietf-sidr-cps-isp-00.txt Steve Kent BBN Technologies.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Update on PKI Activities in the Spanish Academic Network PKI-COORD November 26, Amsterdam.

1 PKI Disaster Recovery and Key Rollover Bull S.A.S.

1 SeGW Certificate profile (Revised) 3GPP2 TSG-S WG4 /TSG-X WG5 (PDS) S X xx Source: QUALCOMM Incorporated Contact(s): Anand.

Single Sign-On across Web Services Ernest Artiaga CERN - OpenLab Security Workshop – April 2004.

© 2003 The MITRE Corporation. All rights reserved For Internal MITRE Use Addressing ISO-RTO e-MARC Concerns: Clarifications and Ramifications Response.

Rfc3280bis-00 David Cooper, NIST Tim Polk, NIST. Development Process ● October 2004: Tim Polk requested that people submit any issues that needed to be.

3280bis David Cooper. Changes Since Draft 02 ● Section 1 (Introduction): Replaced text highlighting changes between RFC 2459 and 3280 with text highlighting.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Creating and Managing Digital Certificates Chapter Eleven.

JOSE Working Group 7 November 2013, PST IETF 88 Vancouver.

X.509 Proxy Certificates for Dynamic Delegation Ian Foster, Jarek Gawor, Carl Kesselman, Sam Meder, Olle Mulmo, Laura Perlman, Frank Siebenlist, Steven.

NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.

Diameter Maintenance and Extensions (dime) IETF 68, March 2007, Prague David Frascone, Hannes Tschofenig.

LDAP for PKI Problems Cannot search for particular certificates or CRLs Cannot retrieve particular certificates or CRLs.

8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK

1 Public Key Infrastructure Rocky K. C. Chang 6 March 2007.

MICS Authentication Profile Maintenance & Update Presented for review and discussion to the TAGPMA On 1May09 by Marg Murray.

Application Cert Interop Project David Crowe PKI Forum, Jun 2001, Munich, Germany.

Profiling Use of PKI in IPsec (pki4ipsec) Date: Monday, Mar 7, 2005 at Location: Rochester room Chairs: Paul Knight Gregory Lebovitz Mail list:

Trust Anchor Update Requirements for DNSSEC Russ Mundy for the editors Steve Crocker, Howard Eland, Russ Mundy.

ETSI TC ESI PRESENTATION TO CAB FORUM Iñigo Barreira /Arno FiedlerFebruary 2016 meeting, Scottsdale, AZ © ETSI All rights reserved.

REPUBLIC OF ALBANIA PUBLIC PROCUREMENT AGENCY Eighth Regional Public Procurement Forum May, 22-25, 2012 Tirana

18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.

ILO Recommendation on HIV/AIDS in the workplace Process and Content.

Armenian e-Science Foundation Certification Authority Ara A. Grigoryan 1,2, Artem Harutyunyan 1,2,3, Arsen Hayrapetyan 1,2,4 1 Armenian e-Science Foundation;

Key Rollover for the RPKI Steve Kent (Channeling Geoff Huston )

Public Key Infrastructure (PKI)

Cryptography and Network Security

IDN Variant TLDs Program Update

APNIC Trial of Certification of IP Addresses and ASes

Communications IGTF RAT Comms Challenge 3 Fall 2015

Resource Certificate Profile

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006

Presentation transcript:

UTF8String Deployment Status and Migration Plan Akira KANAOKA Challenge PKI Project Japan Network Security Association Sponsored by IT Promotion Agency, Japan

6-11 March 2005 UTF8String Deployment Statement and Migration Plan 2 Agenda Problem statement Project : Survey of UTF8String Problem in PKI Certificates UTF8String Deployment Status in Asia Ongoing Works –Migration plan for UTF8String –Test case design for UTF8String implementation

6-11 March 2005 UTF8String Deployment Statement and Migration Plan 3 Problem statement Deadline for migration in RFC 3280 –31 st Dec –Canceled in 3280bis Lack of description to migrate in –Detailed string matching –Migration Plan –Certificate and CRL/ARL issuance during migration Gap between CA and client implementation

6-11 March 2005 UTF8String Deployment Statement and Migration Plan 4 The sequence of events IETF : 58 th meeting (Nov. 2003) –Addressed to solve UTF8String issue at PKIX. Attention from IPA (Dec. 2003) –“On UTF8String problem of RFC 3280” 60 th,61 st meeting (Jul., Nov. 2004) –stringmatch I-D IPA* Project (Sep. 2004) –Survey of UTF8String Problem in PKI Certificates *IPA : IT Promotion Agency, Japan –Report submit to IPA (Feb. 2005) 3280bis (Feb. 2005)

6-11 March 2005 UTF8String Deployment Statement and Migration Plan 5 Survey of UTF8String Problem in PKI Certificates Explanation of the problem Proposal for UTF8String migration Survey –Product implementation –UTF8String deployment status in Asia –IETF activity around UTF8String –Test case design for UTF8String implementation Migration Plan for UTF8String

6-11 March 2005 UTF8String Deployment Statement and Migration Plan 6 UTF8String Deployment Status in Asia Examined whether they use UTF8String for directoryName in certificates Examined whether they use local characters in UTF8String –Local character : e.g. CJK (Chinese, Japanese, Korean) Asked by the prepared questionnaire Asked to “the Asia PKI Forum (APKI-F)” members. –9 Countries and Regions

6-11 March 2005 UTF8String Deployment Statement and Migration Plan 7 Countries and Regions Replies to the Questionnaire Sent to 9 countries and regions Replies from 3 countries and regions (11 CAs) CA Type

6-11 March 2005 UTF8String Deployment Statement and Migration Plan 8 CA Type Description “Government CA” –CA built by the Government for public service “Accredited CA” –CA built by the private sector, and accredited or licensed by legal proceeding “Commercial CA” –CA built by the private sector, and used for a public/closed PKI (Non-governmental).

6-11 March 2005 UTF8String Deployment Statement and Migration Plan 9 Encoding Used in Each Field CA1CA2CA3CA4CA5CA6CA7CA8CA9CA10CA11 issuer UPUUUUUUUUP subject UUUUUUUUUUP issuerAltName U-UU subjectAltName IU-IIIIU-UU subjectDirectoryAttribute ---PUU, PP---- nameConstraints --U cRLDistributionPoints U,IIIIIIIUUUI authorityInfoAccess --IIIII---- other standard extensions U-UI, B other private extensions issuingDistributionPoint U,II-----UP-- CertificateIssuer other CRL extensions CCS JIS X 0208 CNS CNS CNS CNS CNS JIS X 0208 JIS X 0208 Unkn own *U:UTF8String (except country. P:PrintableString, I:IA5String, B:BMPString -:not used *CRLDP/iDP: use directoryName with U or P and URI with I to describe distributionPoint :local character used )

6-11 March 2005 UTF8String Deployment Statement and Migration Plan 10 Encoding Use in Each Field (cont.) Most CAs already use UTF8String. Most CAs use local character. *U:UTF8String (except country. P:PrintableString, I:IA5String, B:BMPString -:not used *CRLDP/iDP: use directoryName with U or P and URI with I to describe distributionPoint :local character used ) CA1CA2CA3CA4CA5CA6CA7CA8CA9CA10CA11 issuerUPUUUUUUUUP subjectUUUUUUUUUUP issuerAltName U-UU subjectAltNameIU-IIIIU-UU

6-11 March 2005 UTF8String Deployment Statement and Migration Plan 11 Compliance with RFC 3280 and its Migration Plan

6-11 March 2005 UTF8String Deployment Statement and Migration Plan 12 Additional Survey UTF8String use in MS Windows Root Certificate Store –OS:Windows XP (Japanese) –as of January 2005 No certificate use UTF8String. –107 certificates in the certificate store –No certificate issued after 31 st Dec Date of Issue# After 31 st Dec

6-11 March 2005 UTF8String Deployment Statement and Migration Plan 13 Conclusion : UTF8String Deployment Status in Asia Contrast between Government CAs and Commercial CAs Most Government CAs use UTF8String (by Questionnaire) No Commercial CA use UTF8String (by MS Windows Certificate Stores) –Asian Government CAs hope to use local character. Most governments use local character for register information.

6-11 March 2005 UTF8String Deployment Statement and Migration Plan 14 Conclusion (cont.) : UTF8String Deployment Status in Asia Few CA has a Migration Plan to UTF8String –Most Government CAs use UTF8String from the beginning. –There is only one case having a migration plan. Deadline of the case : November, 2005 Best Practice for using/migration to UTF8String is needed. –We don’t have any guideline.

6-11 March 2005 UTF8String Deployment Statement and Migration Plan 15 Ongoing Project Migration Plan –CA certificate Re-issue or re-build –CRL encoding after migration of CA certs ‘Keeping legacy encoding’ or ‘Using UTF8String’ –Need to publish this as informational RFC? Test Case Designing –Typical case of: path building (‘different encoding’ and ‘comparison rules’) Revocation checking –Providing the Test data of: Sample Certificate and CRL –Available by the end of this month on our web site

6-11 March 2005 UTF8String Deployment Statement and Migration Plan 16 Reference JNSA Challenge PKI Project – RFC Preparation of Internationalized Strings ("stringprep") – 3280bis – pkix-rfc3280bis-00.txthttp://csrc.nist.gov/pki/documents/PKIX/draft-ietf- pkix-rfc3280bis-00.txt

6-11 March 2005 UTF8String Deployment Statement and Migration Plan 17 Appendix : Questionnaire outline Certificate and CRL/ARL –Kind of local character (e.g. CJK) –Kind of encoding for directoryName –Kind of CCS –Difference between CA self-signed certificate and EE certificate Migration Plan to UTF8String –Plan existence –Migration deadline, reason –Migration reference existence