1. PKI Forum Application Cert Interop Project David Crowe dcrowe@xcert.com

2. Project Purpose To establish interoperability of application certs Pertains both to certs themselves, issued by different vendors’ CAs, and to the certs’ usage by applications Focus is on finding successful interoperations rather than on seeking “complete” interoperability between products

3. Project Deliverables Public demonstration –to cover a chosen subset of our successful tests –to be scheduled by Sep 2000 Results Matrices –A matrix for each script listing successfully tested variants

4. Matrix for SSL Script

5. Matrix for S/MIME E-mail Script

6. Project Plan (so far) Solicit participation (14 Apr 2000) Agree on project plan, scenarios, applications, & algorithms (Apr-May 2000) Flesh out the scenarios (May 2000) Perform tests through bilateral electronic communication (May-Jun 2000) Have 1st communal "bake-off" (26 Jun 2000 in Dublin)

7. Project Plan (from now on) Provide TWG with status update, solicit feedback (28-29 Jun 2000 in Dublin) Fix problems encountered (Jul-Aug 2000) Plan public demo (Jul 2000) Have 2nd communal "bake-off" to verify success (12 Sep 2000 in Montreal)

8. Achievements to Date Participants lined up (more are welcome) Test scripts prepared (more are welcome) –Inter-PKI application cert usage (SSL) –S/MIME e-mail Remote testing underway Initial bake-off held

9. Test Scripts Have different variants Participants (& pairs of participants) will test only variants of interest to them Each successful test of a variant is shown as a row in the results matrix Internal test results are private to the participants involved (but results matrices are published)

10. SSL Script Tests one PKI vendor's web server's ability to authenticate user presenting another PKI vendor's cert Variants: –status checking: CRLs (v1 & v2) & OCSP (with CA signer, designated signer, & out-of- band-agreed signer) –algorithms: RSA & DSA

11. S/MIME Script Tests S/MIME e-mail transfer between two users possessing certs from different PKI vendors Focuses on cert interoperability Separate scripts might be desired for testing e-mail client interoperability

12. S/MIME Script (2) Variants: –status checking: CRLs (v1 & v2) & OCSP (with CA signer, designated signer, & out-of- band-agreed signer) –single & dual certs –e-mail client –S/MIME v2 & v3

13. Early Test Findings Early tests relate to cert path construction & validation—for which script is not written yet Tests indicate need for configuration notes in addition to results matrix rows Test results are preliminary, with tests needing to be rerun using full written script

14. Cert Path Construction & Validation Results Vendor for CACA SoftwareVendor for Application Application Software How Constructed Status Checking Algorithm for CAs Algorithm for End-Entity Certs XcertSentry CAEntegrityPKI BenchManuallyCRLRSA XcertSentry CAEntegrityPKI BenchManuallynoneRSA KeonEntegrityPKI BenchManuallyCRLRSA KeonEntegrityPKI BenchManuallynoneRSA XcertSentry CACeloCelocom MailManuallyCRLRSA XcertSentry CACeloCelocom MailManuallynoneRSA XcertSentry CACeloCelocom MailManuallyCRLmixed RSA & DSA RSA XcertSentry CACeloCelocom MailManuallynonemixed RSA & DSA RSA XcertSentry CACeloSignature Plugin ManuallyCRLRSA XcertSentry CACeloSignature Plugin ManuallynoneRSA XcertSentry CACeloSignature Plugin ManuallyCRLmixed RSA & DSA RSA XcertSentry CACeloSignature Plugin Manuallynonemixed RSA & DSA RSA XcertSentry CACeloSSL-GatewayManuallyCRLRSA XcertSentry CACeloSSL-GatewayManuallynoneRSA XcertSentry CACeloSSL-GatewayManuallyCRLmixed RSA & DSA RSA XcertSentry CACeloSSL-GatewayManuallynonemixed RSA & DSA RSA XcertSentry CAEntegrityPKI BenchPKCS#7 built by Celo Signature Plugin CRLRSA

15. Project Participants Baltimore Technologies Celo Communications Entegrity Solutions Entrust JAWS Technologies Netlexis Rainbow Technologies RSA Security Tivoli (IBM) Xcert

16. Discussion Tomorrow Suggestions for improvements to project plan