Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Memorandum for multi-domain PKI interoperability multidomain-pki-00.txt

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Memorandum for multi-domain PKI interoperability multidomain-pki-00.txt"— Presentation transcript:

1 1 Memorandum for multi-domain PKI interoperability http://www.jnsa.org/mpki/draft-shimaoka- multidomain-pki-00.txt http://www.jnsa.org/mpki/ mpki@jnsa.org Masaki SHIMAOKA shimaoka@secom.ne.jp

2 2 Motivations (Actual operational issues) Japanese GPKI is based on Bridge CA architecture. –Needed various interoperability experiments –Raised not only technical issues, but many operational issues. Bridge CA MUST be neutral and strict. –Needs domain certification criteria. –MUST restrict connecting with irregular trust model which has not interoperability. Some confusing example –CA-X cross-certifies subordinate CA-Y of another domain. Does CA-X trust not the superior CA-Z of CA-Y, though the ARL of CA-Y is issued by CA-Z? How does CA-X trust and verify the ARL issued by CA-Z? –CA-X and CA-Y cross-certify each other mutually. When CA-X updates cross-certificate, does CA-Y re-generate not crossCertificatePair? –CA-X only populate self-signed certificate to own domain internally. This CA-X looks like subordinate CA from outside.

3 3 What’s issue? (Theoretical issues) How does Relying-Party (RP) trust other CA? –Cross-Certification from Trust Anchor of RP. → Single trust point model –Trust the other CA directly. → Multi trust point model What is PKI domain? –Which CA SHOULD be recognized as same PKI domain? –How should we trust other PKI domain?

4 4 Objectives & Scope Objectives –To Achieve multi-domain PKI interoperability We have No standard for multi-domain PKI. –To limit irregular PKI in multi-domain PKI What kind of PKI does have interoperability, or not have? Scope –To Establish the guideline for PKI domain certification criteria Establish a trust relationship between CAs Establish a trust model for multi-domain PKI –As Best Current Practice, not specification

5 5 Contents of the Document 1.Introduction 2.Terminology 3.Trust Relationship –Define the trust relationship between CAs 4.Single-domain PKI –Define the model for single-domain PKI 5.Multi-domain PKI –Define the model for multi-domain PKI 6.Considerations

6 6 Section 3: Trust Relationship Trust List –List of trusted CA certificate User Trust List is managed by individual user Authority Trust List is managed by trusted authority (CA) Cross-Certification –Unilateral cross-certification –Bi-lateral cross-certification Subordination –Peculiar unilateral cross-certification –Subordinate CA has no self-signed certificate.

7 7 Section 4: Single-domain PKI Define the suitable models for participant to multi-domain PKI –Simple PKI –Hierarchy PKI –Mesh PKI Hierarchy Simple Mesh : CAs (translucent is not Trust Anchor) : EEs colored the same as their trust anchor : issued certificate : issued self-signed certificate

8 8 Section 5: Multi-domain PKI Multi-trust point model –Trust List Single-trust point model –Peer-to-Peer model based on cross-certification –Super domain model based on unilateral cross-certification –Hub model a.k.a Bridge CA model Peer-to-Peer Trust List Super Domain Hub RP

9 9 Section 6: Considerations Certificate & CRL Profile –Consider some extensions for achieving multi-domain PKI interoperability Repository –Consider how to obtain the required information for path construction and validation in multi-domain PKI Path Validation –Consider the path validation algorithm and parameters for multi- domain PKI Inter-domain consensus for cross-certification –Policy mapping –Validity of each cross-certificate validity of self-signed certificate Consider each CA key update

10 10 To Do To concretize a relation between PKI domain and domain policy To consider more about Hub model –Too complex To clear a relation with other dependent specification To consider about hybrid (heterogeneous) trust model –CA-X trusts CA-Y by unilateral cross-certification –CA-Y trusts CA-X by trust list I want co-authors

11 11 Related Resources Challenge PKI project Homepage –Multi-domain PKI Interoperability Framework –http://www.jnsa.org/mpki/ Internet-Draft for this –http://www.jnsa.org/mpki/draft-shimaoka-multidomain- pki-00.txt Implementation Problems on PKI –http://www.ipa.go.jp/security/fy13/report/pki_interop/cha lange2001.html Interoperability Issues for multi-domain PKI –http://www.jnsa.org/mpki/Interoperability_mPKI.pdf

12 12 Interoperability experiments I had joined –Japanese GPKI interoperability experiments Interconnecting GPKI BCA with some governmental CA and private CA Path validation and path control using some constraints http://www.gpki.go.jp/ [Sorry, Japanese only] –JKST-IWG (JP,KR,SG,CT Interoperability WG of ASIA PKI Forum) International CA-CA interoperability experiments Path processing experiments PKCS#11 API interoperability experiments http://www.japanpkiforum.jp/JKSHT-02/index.htm –English available, but not enough yet –JNSA/IPA Challenge PKI 200x CA-CA Interoperability Experiments (2001) PKI Interoperability Test Suite (2002) http://www.jnsa.org/mpki/ –Ready for English

13 13 Thank you. Masaki SHIMAOKA shimaoka@secom.ne.jp http://www.jnsa.org/mpki/

Download ppt "1 Memorandum for multi-domain PKI interoperability multidomain-pki-00.txt"

Similar presentations

© 1998-2003 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit.. Page - 1 Seminar on Standardization and ICT Development for the Information.

© ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit.. Page - 1 Seminar on Standardization and ICT Development for the Information.
Nigel Titley. RIPE 54, 9 May 2007, Tallinn, Estonia. 1 RIPE NCC Certification Task Force Update Presented by Nigel Titley RIPE NCC.

Nigel Titley. RIPE 54, 9 May 2007, Tallinn, Estonia. 1 RIPE NCC Certification Task Force Update Presented by Nigel Titley RIPE NCC.
Status Report of the Study Group on MDR/MFI Implemenations ISO/IEC JTC 1/SC 32/WG2 Interim Meeting Santa Fe, NM, USA, November 11~15, 2013 Dongwon Jeong,

Status Report of the Study Group on MDR/MFI Implemenations ISO/IEC JTC 1/SC 32/WG2 Interim Meeting Santa Fe, NM, USA, November 11~15, 2013 Dongwon Jeong,
Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.

Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
Copyright Judith Spencer 2002. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

Copyright Judith Spencer This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
Extended Validation Models in PKI Alternatives and Implications Marc Branchaud John Linn

Extended Validation Models in PKI Alternatives and Implications Marc Branchaud John Linn
© 1998-2004 ITU Telecommunication Development Bureau (BDT) – E-Strategies Unit.. Page - 1 Building Trust and Security for E-government Dubai, United Arab.

© ITU Telecommunication Development Bureau (BDT) – E-Strategies Unit.. Page - 1 Building Trust and Security for E-government Dubai, United Arab.
Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
1 Current Status of Japanese Government PKI Systems Yasuo Miyakawa*+, Takashi Kurokawa*, Akihiro Yamamura* and Yasushi Matsumoto+ * National Institute.

1 Current Status of Japanese Government PKI Systems Yasuo Miyakawa*+, Takashi Kurokawa*, Akihiro Yamamura* and Yasushi Matsumoto+ * National Institute.
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
MPKI Interoperability I-D ChangeLog from -01 to -02 Jan 16, 2004 Masaki SHIMAOKA SECOM Trust.net.

MPKI Interoperability I-D ChangeLog from -01 to -02 Jan 16, 2004 Masaki SHIMAOKA SECOM Trust.net.
MPKI Interoperability I-D ChangeLog from -00 to -01 Oct 27, 2003 Masaki SHIMAOKA SECOM Trust.net.

MPKI Interoperability I-D ChangeLog from -00 to -01 Oct 27, 2003 Masaki SHIMAOKA SECOM Trust.net.
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
EEMA’s pki Challenge Paul Green – VeriSign and pkiC testing participant.

EEMA’s pki Challenge Paul Green – VeriSign and pkiC testing participant.
Uncle Sam, Meet The PKI! Richard Guida Chair, Federal PKI Steering Committee Michèle Rubenstein Department of the Treasury,

Uncle Sam, Meet The PKI! Richard Guida Chair, Federal PKI Steering Committee Michèle Rubenstein Department of the Treasury,
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

Similar presentations

Ads by Google