1. User Interface Requirement for the Internet X.509 PKI Jaeho Yoon (on behalf of Tae K. Choi) KOREA INFORMATION SECURITY AGENCY August 4, 2004

2. Overview  Individual Document http://www.ietf.org/internet-drafts/draft-choi-pkix-ui-00.txt  Purpose of this Draft To define basic requirements of user interface at PKI client software  Scope of Basic Requirements Security InteroperabilityUsability

3. Why UI ?  PKI technologies are well developed, but PKI related S/W offers poor usability  PKI application is suffered by bad interaction between user and PKI application due to the complexity of PKI technology - Grandparents and even my friends have some trouble - Understand the subscriber’s view : It’s easy for us, but others not  It’s not only about UI design issue, but also technical issue “Some kinds of requirement are needed”

4. What are we looking for ?  Simple and automated PKI - According to our survey on subscribers  Transparent PKI operation  Plug-and Play PKI - from Peter Gutmann’s paper : Plug-and-Play PKI  PKI Black Box - from Adams and Lloyed’s book : Understanding PKI “Usable PKI S/W by User Friendly Interface”

5. Security Requirement  Client software installation and upgrade Should be obtained in secure manner Automatic update function  Root CA certificate trust mechanism The relying party should obtain the root CA certificate and public key in secure manner A user from third party certificate that can not installed in web browser has difficulty in identifying their own root public key trust relationship Automatic update function

6. Interoperability Requirement  Certificate and Private Key Sharing Mechanism One certificate to many applications Increasing certificate mobility  Requirements Common Storage Location Storage Format File naming rule (certificate/private key)

7. Common Storage Location  To define a common path to store certificate and private key  Example In case of hard disk in MS Windows system : C:\Program Files\IETF\PKIX IETF : PKI domain name PKIX : Organization name in DN

8. File naming rule for certificate private key  On updating CA certificate and having a certificate which has muti-identical DN, it is required to use an unique file name  SKI (Subject Key Identifier ) SKI value_serial number.der SKI : Hex number of forty digits Serial number : Decimal number Example for MS Windows : C:\Program Files\IETF\PKIX\SKI value_serial number.der

9. Storage Format  Increasing compatibility in different client software  Unified format for storing certificate and private key is required  Certificate : DER or PEM format  Private Key : PKCS #5 & PKCS #8

10. Usability Requirement  Certificate Representation Certificate information area Storage type selection area Certificate Management area  Categorization of Storage Medium Hard disk Floppy disk CD USB Drive, token, and key Smartcard

11. Thank you ! tkchoi@kisa.or.kr