Presentation is loading. Please wait.

Presentation is loading. Please wait.

UTF8String Deployment Status and Migration Plan Akira KANAOKA Challenge PKI Project Japan Network Security Association Sponsored by IT Promotion Agency,

Published byPreston Morton Modified over 9 years ago

Similar presentations

Presentation on theme: "UTF8String Deployment Status and Migration Plan Akira KANAOKA Challenge PKI Project Japan Network Security Association Sponsored by IT Promotion Agency,"— Presentation transcript:

1 UTF8String Deployment Status and Migration Plan Akira KANAOKA Challenge PKI Project Japan Network Security Association Sponsored by IT Promotion Agency, Japan

2 6-11 March 2005 UTF8String Deployment Statement and Migration Plan 2 Agenda Problem statement Project : Survey of UTF8String Problem in PKI Certificates UTF8String Deployment Status in Asia Ongoing Works –Migration plan for UTF8String –Test case design for UTF8String implementation

3 6-11 March 2005 UTF8String Deployment Statement and Migration Plan 3 Problem statement Deadline for migration in RFC 3280 –31 st Dec. 2003 –Canceled in 3280bis Lack of description to migrate in 3280. –Detailed string matching –Migration Plan –Certificate and CRL/ARL issuance during migration Gap between CA and client implementation

4 6-11 March 2005 UTF8String Deployment Statement and Migration Plan 4 The sequence of events IETF : 58 th meeting (Nov. 2003) –Addressed to solve UTF8String issue at PKIX. Attention from IPA (Dec. 2003) –“On UTF8String problem of RFC 3280” 60 th,61 st meeting (Jul., Nov. 2004) –stringmatch I-D IPA* Project (Sep. 2004) –Survey of UTF8String Problem in PKI Certificates *IPA : IT Promotion Agency, Japan –Report submit to IPA (Feb. 2005) 3280bis (Feb. 2005)

5 6-11 March 2005 UTF8String Deployment Statement and Migration Plan 5 Survey of UTF8String Problem in PKI Certificates Explanation of the problem Proposal for UTF8String migration Survey –Product implementation –UTF8String deployment status in Asia –IETF activity around UTF8String –Test case design for UTF8String implementation Migration Plan for UTF8String

6 6-11 March 2005 UTF8String Deployment Statement and Migration Plan 6 UTF8String Deployment Status in Asia Examined whether they use UTF8String for directoryName in certificates Examined whether they use local characters in UTF8String –Local character : e.g. CJK (Chinese, Japanese, Korean) Asked by the prepared questionnaire Asked to “the Asia PKI Forum (APKI-F)” members. –9 Countries and Regions

7 6-11 March 2005 UTF8String Deployment Statement and Migration Plan 7 Countries and Regions Replies to the Questionnaire Sent to 9 countries and regions Replies from 3 countries and regions (11 CAs) CA Type

8 6-11 March 2005 UTF8String Deployment Statement and Migration Plan 8 CA Type Description “Government CA” –CA built by the Government for public service “Accredited CA” –CA built by the private sector, and accredited or licensed by legal proceeding “Commercial CA” –CA built by the private sector, and used for a public/closed PKI (Non-governmental).

9 6-11 March 2005 UTF8String Deployment Statement and Migration Plan 9 Encoding Used in Each Field CA1CA2CA3CA4CA5CA6CA7CA8CA9CA10CA11 issuer UPUUUUUUUUP subject UUUUUUUUUUP issuerAltName -------U-UU subjectAltName IU-IIIIU-UU subjectDirectoryAttribute ---PUU, PP---- nameConstraints --U-------- cRLDistributionPoints U,IIIIIIIUUUI authorityInfoAccess --IIIII---- other standard extensions -------U-UI, B other private extensions ----------- issuingDistributionPoint U,II-----UP-- CertificateIssuer ----------- other CRL extensions ----------- CCS JIS X 0208 CNS 11643 CNS 11643 CNS 11643 CNS 11643 CNS 11643 JIS X 0208 JIS X 0208 Unkn own *U:UTF8String (except country. P:PrintableString, I:IA5String, B:BMPString -:not used *CRLDP/iDP: use directoryName with U or P and URI with I to describe distributionPoint :local character used )

10 6-11 March 2005 UTF8String Deployment Statement and Migration Plan 10 Encoding Use in Each Field (cont.) Most CAs already use UTF8String. Most CAs use local character. *U:UTF8String (except country. P:PrintableString, I:IA5String, B:BMPString -:not used *CRLDP/iDP: use directoryName with U or P and URI with I to describe distributionPoint :local character used ) CA1CA2CA3CA4CA5CA6CA7CA8CA9CA10CA11 issuerUPUUUUUUUUP subjectUUUUUUUUUUP issuerAltName-------U-UU subjectAltNameIU-IIIIU-UU

11 6-11 March 2005 UTF8String Deployment Statement and Migration Plan 11 Compliance with RFC 3280 and its Migration Plan

12 6-11 March 2005 UTF8String Deployment Statement and Migration Plan 12 Additional Survey UTF8String use in MS Windows Root Certificate Store –OS:Windows XP (Japanese) –as of January 2005 No certificate use UTF8String. –107 certificates in the certificate store –No certificate issued after 31 st Dec. 2003 Date of Issue# After 31 st Dec. 2003 0 20011 199955 199829 19974 199616 19951 19941

13 6-11 March 2005 UTF8String Deployment Statement and Migration Plan 13 Conclusion : UTF8String Deployment Status in Asia Contrast between Government CAs and Commercial CAs Most Government CAs use UTF8String (by Questionnaire) No Commercial CA use UTF8String (by MS Windows Certificate Stores) –Asian Government CAs hope to use local character. Most governments use local character for register information.

14 6-11 March 2005 UTF8String Deployment Statement and Migration Plan 14 Conclusion (cont.) : UTF8String Deployment Status in Asia Few CA has a Migration Plan to UTF8String –Most Government CAs use UTF8String from the beginning. –There is only one case having a migration plan. Deadline of the case : November, 2005 Best Practice for using/migration to UTF8String is needed. –We don’t have any guideline.

15 6-11 March 2005 UTF8String Deployment Statement and Migration Plan 15 Ongoing Project Migration Plan –CA certificate Re-issue or re-build –CRL encoding after migration of CA certs ‘Keeping legacy encoding’ or ‘Using UTF8String’ –Need to publish this as informational RFC? Test Case Designing –Typical case of: path building (‘different encoding’ and ‘comparison rules’) Revocation checking –Providing the Test data of: Sample Certificate and CRL –Available by the end of this month on our web site

16 6-11 March 2005 UTF8String Deployment Statement and Migration Plan 16 Reference JNSA Challenge PKI Project –http://www.jnsa.org/mpki/http://www.jnsa.org/mpki/ RFC 3454 - Preparation of Internationalized Strings ("stringprep") –http://www.ietf.org/rfc/rfc3454.txthttp://www.ietf.org/rfc/rfc3454.txt 3280bis –http://csrc.nist.gov/pki/documents/PKIX/draft-ietf- pkix-rfc3280bis-00.txthttp://csrc.nist.gov/pki/documents/PKIX/draft-ietf- pkix-rfc3280bis-00.txt

17 6-11 March 2005 UTF8String Deployment Statement and Migration Plan 17 Appendix : Questionnaire outline Certificate and CRL/ARL –Kind of local character (e.g. CJK) –Kind of encoding for directoryName –Kind of CCS –Difference between CA self-signed certificate and EE certificate Migration Plan to UTF8String –Plan existence –Migration deadline, reason –Migration reference existence

Download ppt "UTF8String Deployment Status and Migration Plan Akira KANAOKA Challenge PKI Project Japan Network Security Association Sponsored by IT Promotion Agency,"

Similar presentations

PKI Strategy PKI Requirements Standard –Based on e-MARC or other Certificate Policy Statements –Specify key aspects that must be met by CA Cert format.

PKI Strategy PKI Requirements Standard –Based on e-MARC or other Certificate Policy Statements –Specify key aspects that must be met by CA Cert format.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.
Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
MPKI Interoperability I-D ChangeLog from -01 to -02 Jan 16, 2004 Masaki SHIMAOKA SECOM Trust.net.

MPKI Interoperability I-D ChangeLog from -01 to -02 Jan 16, 2004 Masaki SHIMAOKA SECOM Trust.net.
MPKI Interoperability I-D ChangeLog from -00 to -01 Oct 27, 2003 Masaki SHIMAOKA SECOM Trust.net.

MPKI Interoperability I-D ChangeLog from -00 to -01 Oct 27, 2003 Masaki SHIMAOKA SECOM Trust.net.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.

APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.

Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.
CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Certificate Path Building draft-ietf-pkix-certpathbuild-01.txt Peter Hesse Matt Cooper Yuriy Dzambasow Susan Joseph Richard Nicholas.

Certificate Path Building draft-ietf-pkix-certpathbuild-01.txt Peter Hesse Matt Cooper Yuriy Dzambasow Susan Joseph Richard Nicholas.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
14 May 2002© 2000-02 TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

Similar presentations

Ads by Google