1 / 13

jnsa/mpki/ mpki@jnsa Masaki SHIMAOKA shimaoka@secom.ne.jp

Memorandum for multi-domain PKI interoperability http://www.jnsa.org/mpki/draft-shimaoka-multidomain-pki-00.txt. http://www.jnsa.org/mpki/ mpki@jnsa.org Masaki SHIMAOKA shimaoka@secom.ne.jp. Motivations (Actual operational issues). Japanese GPKI is based on Bridge CA architecture.

Download Presentation

jnsa/mpki/ mpki@jnsa Masaki SHIMAOKA shimaoka@secom.ne.jp

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Memorandum for multi-domain PKI interoperabilityhttp://www.jnsa.org/mpki/draft-shimaoka-multidomain-pki-00.txt http://www.jnsa.org/mpki/ mpki@jnsa.org Masaki SHIMAOKA shimaoka@secom.ne.jp

  2. Motivations(Actual operational issues) • Japanese GPKI is based on Bridge CA architecture. • Needed various interoperability experiments • Raised not only technical issues, but many operational issues. • Bridge CA MUST be neutral and strict. • Needs domain certification criteria. • MUST restrict connecting with irregular trust model which has not interoperability. • Some confusing example • CA-X cross-certifies subordinate CA-Y of another domain. • Does CA-X trust not the superior CA-Z of CA-Y, though the ARL of CA-Y is issued by CA-Z? • How does CA-X trust and verify the ARL issued by CA-Z? • CA-X and CA-Y cross-certify each other mutually. • When CA-X updates cross-certificate, does CA-Y re-generate not crossCertificatePair? • CA-X only populate self-signed certificate to own domain internally. • This CA-X looks like subordinate CA from outside.

  3. What’s issue?(Theoretical issues) • How does Relying-Party (RP) trust other CA? • Cross-Certification from Trust Anchor of RP. • Single trust point model • Trust the other CA directly. • Multi trust point model • What is PKI domain? • Which CA SHOULD be recognized as same PKI domain? • How should we trust other PKI domain?

  4. Objectives & Scope • Objectives • To Achieve multi-domain PKI interoperability • We have No standard for multi-domain PKI. • To limit irregular PKI in multi-domain PKI • What kind of PKI does have interoperability, or not have? • Scope • To Establish the guideline for PKI domain certification criteria • Establish a trust relationship between CAs • Establish a trust model for multi-domain PKI • As Best Current Practice, not specification

  5. Contents of the Document • Introduction • Terminology • Trust Relationship • Define the trust relationship between CAs • Single-domain PKI • Define the model for single-domain PKI • Multi-domain PKI • Define the model for multi-domain PKI • Considerations

  6. Section 3: Trust Relationship • Trust List • List of trusted CA certificate • User Trust List is managed by individual user • Authority Trust List is managed by trusted authority (CA) • Cross-Certification • Unilateral cross-certification • Bi-lateral cross-certification • Subordination • Peculiar unilateral cross-certification • Subordinate CA has no self-signed certificate.

  7. Section 4: Single-domain PKI • Define the suitable models for participant to multi-domain PKI • Simple PKI • Hierarchy PKI • Mesh PKI : CAs (translucent is not Trust Anchor) : EEs colored the same as their trust anchor : issued certificate : issued self-signed certificate Mesh Hierarchy Simple

  8. Section 5: Multi-domain PKI Trust List • Multi-trust point model • Trust List • Single-trust point model • Peer-to-Peer model • based on cross-certification • Super domain model • based on unilateral cross-certification • Hub model • a.k.a Bridge CA model RP Peer-to-Peer RP Super Domain Hub RP RP

  9. Section 6: Considerations • Certificate & CRL Profile • Consider some extensions for achieving multi-domain PKI interoperability • Repository • Consider how to obtain the required information for path construction and validation in multi-domain PKI • Path Validation • Consider the path validation algorithm and parameters for multi-domain PKI • Inter-domain consensus for cross-certification • Policy mapping • Validity of each cross-certificate • validity of self-signed certificate • Consider each CA key update

  10. To Do • To concretize a relation between PKI domain and domain policy • To consider more about Hub model • Too complex • To clear a relation with other dependent specification • To consider about hybrid (heterogeneous) trust model • CA-X trusts CA-Y by unilateral cross-certification • CA-Y trusts CA-X by trust list • I want co-authors 

  11. Related Resources • Challenge PKI project Homepage • Multi-domain PKI Interoperability Framework • http://www.jnsa.org/mpki/ • Internet-Draft for this • http://www.jnsa.org/mpki/draft-shimaoka-multidomain-pki-00.txt • Implementation Problems on PKI • http://www.ipa.go.jp/security/fy13/report/pki_interop/chalange2001.html • Interoperability Issues for multi-domain PKI • http://www.jnsa.org/mpki/Interoperability_mPKI.pdf

  12. Interoperability experimentsI had joined • Japanese GPKI interoperability experiments • Interconnecting GPKI BCA with some governmental CA and private CA • Path validation and path control using some constraints • http://www.gpki.go.jp/ [Sorry, Japanese only] • JKST-IWG (JP,KR,SG,CTInteroperability WG of ASIA PKI Forum) • International CA-CA interoperability experiments • Path processing experiments • PKCS#11 API interoperability experiments • http://www.japanpkiforum.jp/JKSHT-02/index.htm • English available, but not enough yet • JNSA/IPA Challenge PKI 200x • CA-CA Interoperability Experiments (2001) • PKI Interoperability Test Suite (2002) • http://www.jnsa.org/mpki/ • Ready for English

  13. Thank you. Masaki SHIMAOKA shimaoka@secom.ne.jp http://www.jnsa.org/mpki/

More Related