Download presentation
Presentation is loading. Please wait.
1
1 Memorandum for multi-domain PKI interoperability http://www.jnsa.org/mpki/draft-shimaoka- multidomain-pki-00.txt http://www.jnsa.org/mpki/ mpki@jnsa.org Masaki SHIMAOKA shimaoka@secom.ne.jp
2
2 Motivations (Actual operational issues) Japanese GPKI is based on Bridge CA architecture. –Needed various interoperability experiments –Raised not only technical issues, but many operational issues. Bridge CA MUST be neutral and strict. –Needs domain certification criteria. –MUST restrict connecting with irregular trust model which has not interoperability. Some confusing example –CA-X cross-certifies subordinate CA-Y of another domain. Does CA-X trust not the superior CA-Z of CA-Y, though the ARL of CA-Y is issued by CA-Z? How does CA-X trust and verify the ARL issued by CA-Z? –CA-X and CA-Y cross-certify each other mutually. When CA-X updates cross-certificate, does CA-Y re-generate not crossCertificatePair? –CA-X only populate self-signed certificate to own domain internally. This CA-X looks like subordinate CA from outside.
3
3 What’s issue? (Theoretical issues) How does Relying-Party (RP) trust other CA? –Cross-Certification from Trust Anchor of RP. → Single trust point model –Trust the other CA directly. → Multi trust point model What is PKI domain? –Which CA SHOULD be recognized as same PKI domain? –How should we trust other PKI domain?
4
4 Objectives & Scope Objectives –To Achieve multi-domain PKI interoperability We have No standard for multi-domain PKI. –To limit irregular PKI in multi-domain PKI What kind of PKI does have interoperability, or not have? Scope –To Establish the guideline for PKI domain certification criteria Establish a trust relationship between CAs Establish a trust model for multi-domain PKI –As Best Current Practice, not specification
5
5 Contents of the Document 1.Introduction 2.Terminology 3.Trust Relationship –Define the trust relationship between CAs 4.Single-domain PKI –Define the model for single-domain PKI 5.Multi-domain PKI –Define the model for multi-domain PKI 6.Considerations
6
6 Section 3: Trust Relationship Trust List –List of trusted CA certificate User Trust List is managed by individual user Authority Trust List is managed by trusted authority (CA) Cross-Certification –Unilateral cross-certification –Bi-lateral cross-certification Subordination –Peculiar unilateral cross-certification –Subordinate CA has no self-signed certificate.
7
7 Section 4: Single-domain PKI Define the suitable models for participant to multi-domain PKI –Simple PKI –Hierarchy PKI –Mesh PKI Hierarchy Simple Mesh : CAs (translucent is not Trust Anchor) : EEs colored the same as their trust anchor : issued certificate : issued self-signed certificate
8
8 Section 5: Multi-domain PKI Multi-trust point model –Trust List Single-trust point model –Peer-to-Peer model based on cross-certification –Super domain model based on unilateral cross-certification –Hub model a.k.a Bridge CA model Peer-to-Peer Trust List Super Domain Hub RP
9
9 Section 6: Considerations Certificate & CRL Profile –Consider some extensions for achieving multi-domain PKI interoperability Repository –Consider how to obtain the required information for path construction and validation in multi-domain PKI Path Validation –Consider the path validation algorithm and parameters for multi- domain PKI Inter-domain consensus for cross-certification –Policy mapping –Validity of each cross-certificate validity of self-signed certificate Consider each CA key update
10
10 To Do To concretize a relation between PKI domain and domain policy To consider more about Hub model –Too complex To clear a relation with other dependent specification To consider about hybrid (heterogeneous) trust model –CA-X trusts CA-Y by unilateral cross-certification –CA-Y trusts CA-X by trust list I want co-authors
11
11 Related Resources Challenge PKI project Homepage –Multi-domain PKI Interoperability Framework –http://www.jnsa.org/mpki/ Internet-Draft for this –http://www.jnsa.org/mpki/draft-shimaoka-multidomain- pki-00.txt Implementation Problems on PKI –http://www.ipa.go.jp/security/fy13/report/pki_interop/cha lange2001.html Interoperability Issues for multi-domain PKI –http://www.jnsa.org/mpki/Interoperability_mPKI.pdf
12
12 Interoperability experiments I had joined –Japanese GPKI interoperability experiments Interconnecting GPKI BCA with some governmental CA and private CA Path validation and path control using some constraints http://www.gpki.go.jp/ [Sorry, Japanese only] –JKST-IWG (JP,KR,SG,CT Interoperability WG of ASIA PKI Forum) International CA-CA interoperability experiments Path processing experiments PKCS#11 API interoperability experiments http://www.japanpkiforum.jp/JKSHT-02/index.htm –English available, but not enough yet –JNSA/IPA Challenge PKI 200x CA-CA Interoperability Experiments (2001) PKI Interoperability Test Suite (2002) http://www.jnsa.org/mpki/ –Ready for English
13
13 Thank you. Masaki SHIMAOKA shimaoka@secom.ne.jp http://www.jnsa.org/mpki/
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.