libpkix & CertPath: Bringing High Quality Certificate Handling to the Masses PKI Higher Education Summit July 14, 2004 Steve Hanna, Sun Microsystems, Inc. Copyright 2004 Sun Microsystems, Inc. All Rights Reserved

Outline ● Path Validation & Building ● CertPath ● libpkix ● Discussion

Path Validation ● Given a chain of X.509 certificates and a set of parameters, check if chain is valid ● Signatures ● Subject-Issuer Name Chaining ● Expiration/Validity ● Revocation ● Name Constraints ● Policy Processing ● Used in SSL/TLS, IPsec, S/MIME, SSO, etc. ● Described in IETF RFC 3280

Path Building ● Given a set of parameters, build a valid chain of X.509 certificates to a particular target ● Active research area ● Simple solutions known (DFS, BFS) ● More advanced ones being explored ● Meet in Middle ● Best-First Search ● Heuristics ● Expert Servers ● Prebuilt Paths ● Scaling Problems

CertPath ● Java API and libraries ● Build and validate chains of X.509 certificates ● API standardized through JSR 55 in 2001 ● Included in J2SE SDK 1.4 and later ● Comply with IETF RFC 3280 ● Pass NIST PKITS ● Support any PKI topology ● Recent Enhancements: ● Performance Analysis, Caching ● Simple CRL DP Processing ● OCSP Support ● Fixes to Pass PKITS

libpkix ● Portable C library ● Build and validate chains of X.509 certificates ● Soon to be Open Source (BSD) on SourceForge ● Will comply with RFC 3280 and pass PKITS ● Portable ● Efficient (Thread-Hot) ● Support any PKI topology ● Designed to plug easily into any code base: Mozilla, OpenSSL, etc. ● Not Complete Yet

Primary Obstacles to PKI Deployment and Usage 1) Software Applications Don't Support It 2) Costs Too High 3) PKI Poorly Understood 4) Too Much Focus on Technology, Not Enough on Need 5) Poor Interoperability Source: OASIS PKI TC August 2003 Survey

Why CertPath and libpkix? ● We need strong PKI support in applications ● Standards-compliant ● Reliable ● Interoperable ● Bridge CA compatible ● Application vendors will add such support if ● Revenue boost substantially exceeds costs ● NIST draft rec, J GPKI => revenue impact ● Strong Open Source library => lower development costs

libpkix Architecture libpkix Portable Code libpkix Portability Layer Application/Library Platform (OS, NSS, OpenSSL, etc.)

libpkix Development Team ● Sun Labs Internet Security Research Group ● Created CertPath libraries (in JDK 1.4 & later) which pass PKITS tests ● Authors of NDSS '01 paper on path building ● Ongoing PKI research: R&D Workshop, etc. ● Active in IETF PKIX WG, OASIS PKI TC, etc. ● Dartmouth PKI Lab ● PKI Research and Deployment ● Dozens of Papers and Prototypes ● Years of Deployment Experience ● Responsible for HEBCA

libpkix Applications ● NSS ● Mozilla ● Sun servers ● Netscape servers ● OpenSSL ● Others in discussions

libpkix Implementation Status ● Architecture Complete ● APIs Complete ● Basic NSS Portability Layer Working ● Starting on Basic Path Validation

Current Schedule ● Fall 2004 – Basic Path Validation ● Summer 2005 – Full Path Validation ● Summer 2006 – Full Path Building ● Summer 2007 – Certificate Collection ● Later – Optional Features (CRL DP, segmented CRLs, etc.)

libpkix Assistance Needed ● Funding to hire an engineer ● $100K for one engineer for one year ● Accelerates schedule ~1.8x ● Spring 2005 – Full Path Validation ● Fall 2005 – Full Path Building ● Seeking funding from vendors & U.S. Gov ● Direct implementation assistance ● Undergrad/grad projects ● Path validation modules ● Path building heuristics and algorithms ● Full-time engineer

For More Info ● Read CertPath Programmer's Guide ● Read libpkix Architecture and libpkix Programmer's Guide ● or

Discussion